SI Bingley Club’s Data Breach Policy


SOROPTIMIST INTERNATIONAL OF BINGLEY
CLUB’S DATA BREACH POLICY

For the purpose of this document, references to Soroptimist International Great Britain and Ireland (SIGBI) Limited and Soroptimist International may be written as “SIGBI” and “SI” only.

Bingley Club Data Breach Policy

Introduction
SI Bingley holds and processes personal data which needs to be protected. Every care is taken to protect the data we hold. Compromise of information, confidentiality, integrity or availability may result in harm to individuals, reputational damage, detrimental effect on service provision, legislative non-compliance and financial penalties.

Purpose
This policy sets out the procedure to be followed to ensure a consistent and effective approach throughout the organisation.

Scope
The policy relates to all personal data held by us, regardless of format. It applies to anyone who handles this personal data, including those working on our behalf. The objective of the policy is to contain any breaches, to minimise the risks associated with the breach and to consider what action is necessary to secure personal data and prevent any further breach.

Types of breach
An incident is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to data subjects/members.

An incident includes but is not restricted to:
• Loss or theft of personal data or the equipment on which the data is stored e.g. laptop, memory stick, smartphone, or paper record.
• Theft or failure of equipment on which personal data is stored
• Unauthorised use of or access to personal data
• Attempts to gain unauthorised access to personal data
• Unauthorised disclosure of personal data
• Website defacement
• Hacking attack

Reporting an incident
Any person using personal data on behalf of the club is responsible for reporting data breach incidents immediately to the Executive and Development Committee, using the Data Breach Report Form set out below.

The report should contain the following details:
• Date and time of discovery of breach.
• Details of person who discovered the breach.
• The nature of the personal data involved.
• How many data subjects’/members’ data is affected.

Containment and recovery
The Executive and Development Committee will first ascertain if the breach is still occurring. If so, appropriate steps will be taken immediately to minimise the effects of the breach. An assessment will be carried out to establish the severity of the breach and the nature of further investigation required. Consideration will be given as to whether the police should be informed. Advice from appropriate experts will be sought if necessary. A suitable course of action will be taken to ensure a resolution to the breach.

Investigation and risk assessment
An investigation will be carried out without delay and where possible within 24 hours of the breach being discovered. The Executive and Development Committee will assess the risks associated with the breach, the potential consequences for the data subjects/members, how serious and substantial those are and how likely they are to occur.

The investigation will take into account the following:
• The type of data involved and its sensitivity.
• The protections in place (e.g. encryption).
• What has happened to the data.
• Whether the data could be put to illegal or inappropriate use.
• Who the data subjects/members are, how many are involved, and the potential effects on them.
• Any wider consequences.

Notification
The Executive and Development Committee will decide with appropriate advice who needs to be notified of the breach. Every incident will be assessed on a case by case basis. Consideration will be given to notifying the Information Commissioner if a large number of people are affected or the consequences for the data subjects/members are very serious. Guidance on when and how to notify the ICO is available on their website:
www.ico.org.uk/media/1536/breach_reporting.pdf

Notification to the data subjects/members whose personal data has been affected by the incident will include a description of how and when the breach occurred, and the nature of the data involved. Specific and clear advice will be given on what they can do to protect themselves and what has already been done to mitigate the risks. The Executive and Development Committee will keep a record of all actions taken in respect of the breach.

Evaluation and response
Once the incident is contained, the Executive and Development Committee will carry out a review of the causes of the breach, the effectiveness of the response, and whether any changes to systems, policies or procedures should be undertaken. Consideration will be given to whether any corrective action is necessary to minimise the risk of similar incidents occurring.

See next page for a Data Breach Report.

Data Breach Report
Date and Time of Discovery of Breach
Name of Person Discovering Breach
Nature of Personal Data Involved

How Many Individuals’ Data is affected
Assessment Carried Out By
What actions were taken?

Further Investigation/Advice required?

Resolution

Signed by: Date: