SOROPTIMIST INTERNATIONAL OF BINGLEY
\nCLUB\u2019S DATA BREACH POLICY<\/p>\n
For the purpose of this document, references to Soroptimist International Great Britain and Ireland (SIGBI) Limited and Soroptimist International may be written as \u201cSIGBI\u201d and \u201cSI\u201d only.<\/p>\n
Bingley Club Data Breach Policy<\/p>\n
Introduction
\nSI Bingley holds and processes personal data which needs to be protected. Every care is taken to protect the data we hold. Compromise of information, confidentiality, integrity or availability may result in harm to individuals, reputational damage, detrimental effect on service provision, legislative non-compliance and financial penalties.<\/p>\n
Purpose
\nThis policy sets out the procedure to be followed to ensure a consistent and effective approach throughout the organisation.<\/p>\n
Scope
\nThe policy relates to all personal data held by us, regardless of format. It applies to anyone who handles this personal data, including those working on our behalf. The objective of the policy is to contain any breaches, to minimise the risks associated with the breach and to consider what action is necessary to secure personal data and prevent any further breach.<\/p>\n
Types of breach
\nAn incident is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to data subjects\/members.<\/p>\n
An incident includes but is not restricted to:
\n\u2022 Loss or theft of personal data or the equipment on which the data is stored e.g. laptop, memory stick, smartphone, or paper record.
\n\u2022 Theft or failure of equipment on which personal data is stored
\n\u2022 Unauthorised use of or access to personal data
\n\u2022 Attempts to gain unauthorised access to personal data
\n\u2022 Unauthorised disclosure of personal data
\n\u2022 Website defacement
\n\u2022 Hacking attack<\/p>\n
Reporting an incident
\nAny person using personal data on behalf of the club is responsible for reporting data breach incidents immediately to the Executive and Development Committee, using the Data Breach Report Form set out below.<\/p>\n
The report should contain the following details:
\n\u2022 Date and time of discovery of breach.
\n\u2022 Details of person who discovered the breach.
\n\u2022 The nature of the personal data involved.
\n\u2022 How many data subjects\u2019\/members\u2019 data is affected.<\/p>\n
Containment and recovery
\nThe Executive and Development Committee will first ascertain if the breach is still occurring. If so, appropriate steps will be taken immediately to minimise the effects of the breach. An assessment will be carried out to establish the severity of the breach and the nature of further investigation required. Consideration will be given as to whether the police should be informed. Advice from appropriate experts will be sought if necessary. A suitable course of action will be taken to ensure a resolution to the breach.<\/p>\n
Investigation and risk assessment
\nAn investigation will be carried out without delay and where possible within 24 hours of the breach being discovered. The Executive and Development Committee will assess the risks associated with the breach, the potential consequences for the data subjects\/members, how serious and substantial those are and how likely they are to occur.<\/p>\n
The investigation will take into account the following:
\n\u2022 The type of data involved and its sensitivity.
\n\u2022 The protections in place (e.g. encryption).
\n\u2022 What has happened to the data.
\n\u2022 Whether the data could be put to illegal or inappropriate use.
\n\u2022 Who the data subjects\/members are, how many are involved, and the potential effects on them.
\n\u2022 Any wider consequences.<\/p>\n
Notification
\nThe Executive and Development Committee will decide with appropriate advice who needs to be notified of the breach. Every incident will be assessed on a case by case basis. Consideration will be given to notifying the Information Commissioner if a large number of people are affected or the consequences for the data subjects\/members are very serious. Guidance on when and how to notify the ICO is available on their website:
\nwww.ico.org.uk\/media\/1536\/breach_reporting.pdf<\/p>\n
Notification to the data subjects\/members whose personal data has been affected by the incident will include a description of how and when the breach occurred, and the nature of the data involved. Specific and clear advice will be given on what they can do to protect themselves and what has already been done to mitigate the risks. The Executive and Development Committee will keep a record of all actions taken in respect of the breach.<\/p>\n
Evaluation and response
\nOnce the incident is contained, the Executive and Development Committee will carry out a review of the causes of the breach, the effectiveness of the response, and whether any changes to systems, policies or procedures should be undertaken. Consideration will be given to whether any corrective action is necessary to minimise the risk of similar incidents occurring.<\/p>\n
See next page for a Data Breach Report.<\/p>\n
Data Breach Report
\nDate and Time of Discovery of Breach
\nName of Person Discovering Breach
\nNature of Personal Data Involved<\/p>\n
How Many Individuals\u2019 Data is affected
\nAssessment Carried Out By
\nWhat actions were taken?<\/p>\n
Further Investigation\/Advice required?<\/p>\n
Resolution<\/p>\n
Signed by: Date:<\/p>\n","protected":false},"excerpt":{"rendered":"
SOROPTIMIST INTERNATIONAL OF BINGLEY CLUB\u2019S DATA BREACH POLICY For the purpose of this document, references…<\/p>\n","protected":false},"author":552,"featured_media":0,"parent":606,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-614","page","type-page","status-publish","hentry"],"yoast_head":"\n