Our policy on reporting significant Breaches of Personal Data is that we will notify our Supervisory Authority within 72 hours or first becoming aware of the Breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
ICI Contact Details
ICO, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 or 01625 545 745
Fax: 01625 524 510
Step 1. All staff having been adequately trained and notified, any staff member becoming aware of a data breach shall immediately notify the Manager responsible for Data Protection:
Telephone: 00 44 121 285 3888
The following details being recorded or as much detail as possible to the extent it is known – no delay should be incurred in order to gather data if it is not immediately available:
(a) Description of the incident in as much detail as possible
(b) Time, date and location of incident
(c) Details of how the incident occurred and any relevant events leading up to it
(d) If there has been a delay in reporting the incident to the DPR/DPO please explain your reasons for this.
(e) What personal data has been placed at risk? Please specify if any financial or sensitive personal data has been affected and provide details of the extent
(f) How many individuals have been affected?
(g) Are the affected individuals aware that the incident has occurred?
(h) What are the potential consequences and adverse effects on those individuals?
(i) Have any affected individuals complained to the organisation about the incident?
Step 2. The Manager responsible for Data Protection, in conjunction with the Board of Directors shall determine whether the personal data breach is likely to result in a risk to the rights and freedoms of natural persons. If there is uncertainty then it should be assumed that it will.
Step 3. The Manager responsible for Data Protection, or appropriate alternative, shall notify the Supervisory Authority of the incident within 72 hours.
The following Form can be completed and submitted to the ICO in the event of a Data Breach
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay, in clear and plain language, the nature of the personal data breach and contain at least the following information and measures:
This communication to the data subject shall not be required if any of the following conditions are met: