Data Breach Policy

Aim

We are aware of the obligations placed on us by the General Data Protection Regulation (GDPR) in relation to processing data lawfully and to ensure it is kept securely.

One such obligation is to report a breach of personal data in certain circumstances and this policy sets out our position on reporting data breaches.

 

Personal Data Breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed.

The following are examples of data breaches:

  1. access by an unauthorised third party;
  2. deliberate or accidental action (or inaction) by a data controller or data processor;
  3. sending personal data to an incorrect recipient;
  4. computing devices containing personal data being lost or stolen;
  5. alteration of personal data without permission;
  6. loss of availability of personal data.
 

Breach Detection Measures

We have implemented the following measures to assist us in detecting a personal data breach:

  • IT security packages which monitor access to our computer systems and prevent unauthorised access
  • Limited number of individuals who access to personal data
  • Physical security of paper records which are kept in locked cabinets/rooms
 

Investigation Into Suspected Breach

In the event that we become aware of a breach, or a potential breach, an investigation will be carried out by the surgery and a decision made as to whether the breach is required to be notified to the Information Commissioner. A decision will also be made over whether the breach is such that the individual(s) must also be notified.

 

When Will A Breach Be Notified To The Information Commissioner?

In accordance with the GDPR, we will undertake to notify the Information Commissioner of a breach which is likely to pose a risk to people’s rights and freedoms. A risk to people’s freedoms can include physical, material or non-material damage such as discrimination, identity theft or fraud, financial loss and damage to reputation.

Notification to the Information Commissioner will be done without undue delay and at the latest within 72 hours of discovery. If we are unable to report in full within this timescale, we will make an initial report to the Information Commissioner, and then provide a full report in more than one instalment if so required.

The following information will be provided when a breach is notified:

  1. a description of the nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned; and
    • the categories and approximate number of personal data records concerned
  2. the name and contact details of the data protection officer where more information can be obtained;
  3. a description of the likely consequences of the personal data breach; and
  4. a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
 

When Will A Breach Be Notified To An Individual?

In accordance with the GDPR, we will undertake to notify the individual whose data is the subject of a breach if there is a high risk to people’s rights and freedoms. A high risk may be, for example, where special categories of data are disclosed online.

This notification will be made without undue delay and may, dependent on the circumstances, be made before the supervisory authority is notified.

The following information will be provided when a breach is notified to the affected individuals:

  1. a description of the nature of the breach
  2. the name and contact details of the data protection officer where more information can be obtained
  3. a description of the likely consequences of the personal data breach and
  4. a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
 

Record Of Breaches

Courtside Surgery records all personal data breaches regardless of whether they are notifiable or not as part of its general accountability requirement under GDPR. It records the facts relating to the breach, its effects and the remedial action taken.