What is a data access & breach policy, letter and reporting template? This is the policy that Nous House Ltd (“NOUS”) has adopted to respond to data access requests and to data breaches. It outlines the procedure to follow in both instances.
01. This policy NOUS takes privacy seriously and makes all efforts required to protect Personal Data, and actively work to avoid any data protection breaches which could compromise data security, or Personal Data the of our staff, customers, stakeholders or anyone else associated with our business.
02. What is the purpose of this policy? To mitigate the risk of a data breach, we follow this Data Breach Policy. It is an integral part of our compliance responsibilities under the Data Protection Act 2018, and is designed to identify clear lines of responsibility and processes that must be followed in the event of a security incident. This Policy also defines the actions that should be undertaken to prevent further breaches.
03. What does this policy cover? This policy encompasses all personal and sensitive data our company holds and applies to everyone in the business – including employees, temporary or casual staff, consultants, suppliers, contractors, freelance workers or other data processors who are storing or processing data on the behalf of our business.
04. Data Access Requests Every person about whom NOUS collects and stores Personal Data has a number of rights in respect of that data. Those rights include:
• The Right to ask to see a copy of the information we hold (a “Subject Access Request”). • The Right to Object to Processing. • The Right to Be Forgotten. • The Right to Data Portability. • The Right to Withdraw Consent. The NOUS Data Protection, Privacy & Security Policy provides information to Data Subjects about what information we store and process, why and for how long. It also sets out an Individuals’ rights (as above) and how they can those enforce rights.
Any member of staff who receives a Subject Access Request, must forward this to the Data Protection Manager. Subject Access Requests are in fact sometimes complaints and all complaints must be forwarded this to the Data Protection Manager to assess and, if appropriate, refer on to the customer service team.
A Subject Access Request should include a detailed request for information and to help NOUS identify what data is required, for whom and that the person making the request has authority to do so. When a request is received, the Data Protection Manager will check that all of the information we require is in the request submitted. If it is not, the Data Protection Manager will ask that the person making the request complete a NOUS Subject Access Request form.
05. What are data breaches We define a data breach as any incident, event or action that has the potential to compromise the availability of data, its integrity, confidentiality or systems. A data breach is considered an incident if it occurs by accident or deliberately and whether there is a suspected or actual breach and irrespective of any ‘damage’ or loss.
An incident may include, but is not limited to:
• Unauthorised use or access of data. • Unauthorised modification of data. • Loss or theft of personal or sensitive data. • Loss or theft of equipment on which personal data has been stored. • Processing errors that lead to wrongful or incorrect Personal Data input. • Attempts to gain access to Personal Data or NOUS’s IT systems (even if those attempt fail). • Physical incidents that compromise our IT systems.
06. Reporting a data breach All employees who access, manage or use Personal Data in any way are responsible for reporting a data breach or any other incident of the type mentioned in 5 above. This report MUST be made immediately.
The report must be made to the reporting party’s line manager, using the data breach reporting form which is available from the Data Protection Manager. This should be requested, with an overall review of the complaint, via the email:
Details of the incident that must be included in the report include:
• NAME of person reporting the incident. • HOW the incident was discovered. • WHEN the incident occurred. • DETAILS of the incident.
If an incident occurs outside of normal business hours or if it is discovered outside of normal company hours, it must be reported as soon as possible.
Any failure to report or a violation of this data breach policy could result in disciplinary action being taken against the party who discovered the breach.
07. Data breach containment and data recovery Immediately upon discovering an incident, NOUS will take all necessary steps to minimise the effects of any data or security breach or incident. That process will be undertaken as follows (which is not an exhaustive list and may change according to the circumstances of the breach or incident):
• Initial assessment designed to establish the severity of the incident to include: · nature and extend of data involved. · analysis of whether the data involved is sensitive in nature. · details of individuals affected. · security measures that are in place to protect the Personal Data involved in incident. · whether any data involved could be used in an illegal or otherwise inappropriate way. · any perceived wider consequences or risks associated with the breach or incident • Analysis of data loss (if any). • Notification of data breach to interested party and regulators per strategy in 8 below. • Undertake strategies to mitigate further loss and/or risk of data loss associated with the incident. • Analysis of whether lost data may be recovered.
08. Data breach notification NOUS will determine which individuals/regulators must be notified in the event of an incident.
Each incident will be assessed on a case-by-case basis. In every instance, the following factors must be considered:
• legal notification requirements. • number of people affected. • any contractual notification requirements. • consequences of that incident. • whether notification of a breach or incident would help the individual to mitigate risks associated with the incident and prevent unauthorised or illegal use of data.
All data breaches and data security incidents, both suspected and verified, MUST be recorded as described in 6 above to assist in further analysis and to help prevent further breaches.
09. Notification to individuals If the data security incident potentially involves a large number of individuals, NOUS will consider whether notifying a large number of individuals may have the potential to cause disproportionate enquiries which will in turn result in delayed response to the incident.
Whenever NOUS notifies an individual whose Personal Data has been affected by an incident or breach, that notification MUST include: • details of WHEN the breach occurred. • HOW we believe the breach occurred. • WHAT data we believe was involved. • explicit guidance concerning what the individual can do to protect themselves against unauthorised use of their data. • information about steps taken by NOUS to mitigate risks to unauthorised use of the data.
Any breach notice will be sent when approved by the Data Protection Manager and will take the form shown below.
10. Data breach evaluation and response After the incident has been contained and addressed, NOUS will conduct an extensive review detailing:
• cause(s) of the incident. • effectiveness of the incident response. • whether changes to existing IT systems, company procedures or policies must be implemented. • adequacy of existing protocols. • any amendments to protocols to be carried out as soon as possible.