Courtside Surgery

Courtside Surgery Kennedy Way Yate Bristol BS37 4DQ

Data Breach Policy

DATA BREACH NOTIFICATION POLICY

AIM

 

We are aware of the obligations placed on us by the General Data Protection Regulation (GDPR) in relation to processing data lawfully and to ensure it is kept securely.

One such obligation is to report a breach of personal data in certain circumstances and this policy sets out our position on reporting data breaches.

PERSONAL DATA BREACH

 

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed.

The following are examples of data breaches:

  1. access by an unauthorised third party;
  2. deliberate or accidental action (or inaction) by a data controller or data processor;
  3. sending personal data to an incorrect recipient;
  4. computing devices containing personal data being lost or stolen;
  5. alteration of personal data without permission;
  6. loss of availability of personal data.

 

BREACH DETECTION MEASURES

 

We have implemented the following measures to assist us in detecting a personal data breach:

  • IT security packages which monitor access to our computer systems and prevent unauthorised access
  • Limited number of individuals who access to personal data
  • Physical security of paper records which are kept in locked cabinets/rooms

 

INVESTIGATION INTO SUSPECTED BREACH

 

In the event that we become aware of a breach, or a potential breach, an investigation will be carried out. This investigation will be carried out by Anne Lewis, IMT Manager who will make a decision over whether the breach is required to be notified to the Information Commissioner. A decision will also be made over whether the breach is such that the individual(s) must also be notified.

WHEN A BREACH WILL BE NOTIFIED TO THE INFORMATION COMMISSIONER

 

In accordance with the GDPR, we will undertake to notify the Information Commissioner of a breach which is likely to pose a risk to people’s rights and freedoms. A risk to people’s freedoms can include physical, material or non-material damage such as discrimination, identity theft or fraud, financial loss and damage to reputation.

Notification to the Information Commissioner will be done without undue delay and at the latest within 72 hours of discovery. If we are unable to report in full within this timescale, we will make an initial report to the Information Commissioner, and then provide a full report in more than one instalment if so required.

The following information will be provided when a breach is notified:

  1. a description of the nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned; and
    • the categories and approximate number of personal data records concerned
  2. the name and contact details of the data protection officer where more information can be obtained;
  3. a description of the likely consequences of the personal data breach; and
  4. a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

WHEN A BREACH WILL BE NOTIFIED TO THE INDIVIDUAL

 

In accordance with the GDPR, we will undertake to notify the individual whose data is the subject of a breach if there is a high risk to people’s rights and freedoms. A high risk may be, for example, where special categories of data are disclosed online.

This notification will be made without undue delay and may, dependent on the circumstances, be made before the supervisory authority is notified.

The following information will be provided when a breach is notified to the affected individuals:

  1. a description of the nature of the breach
  2. the name and contact details of the data protection officer where more information can be obtained
  3. a description of the likely consequences of the personal data breach and
  4. a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

RECORD OF BREACHES

 

Courtside Surgery records all personal data breaches regardless of whether they are notifiable or not as part of its general accountability requirement under GDPR. It records the facts relating to the breach, its effects and the remedial action taken.