The guidance outlines important actions and considerations for the lead investigator when addressing an information security breach that involves personally identifiable information.1 It supports the method statement on data loss and information security breach management.
Step | Action points | Notes |
Containment and recovery | To contain any breach, to limit further damage as far as possible and to seek to recover any lost data. | |
---|---|---|
1 | Establish lead for investigating breach | To investigate extent and nature of breach, to contact and co-ordinate with specialists and stakeholders (eg Data Protection specialist, IT Services, system owners, External Relations). This will normally be the Data Protection Officer. |
2 | Ensure lead has appropriate resources | Including sufficient time and authority. |
3 | Ascertain the scope of the breach. | See ‘Risk assessment’ below. |
4 | Establish who needs to be made aware of the incident and inform them of what they are expected to do to assist in the containment/recovery exercise. |
eg Finding lost piece of equipment, changing passwords or access codes, isolating/closing part of network, pulling webpages, informing police, checking any contractual obligations to act/report where data has been supplied under contract (see #19). If you have any reason to suspect that there is computer misuse ("hacking"), contact the Computer Emergency Response Team who will provide advice on actions to take and how to preserve evidence. |
5 | Ensure that any possibility of further data loss is removed or mitigated as far as possible | As above. This may involve actions such as taking systems offline or restricting access to systems to a very small number of staff until more is known about the incident. |
6 | Determine whether anything can be done to recover any losses and limit any damage that may be caused | eg physical recovery of data/equipment, or where data corrupted, through use of back-ups. |
7 | Where appropriate, inform the police. | eg stolen property, fraudulent activity, offence under Computer Misuse Act. |
Risk assessment | To identify and assess the ongoing risks that may be associated with the breach. In particular: an assessment of (a) potential adverse consequences for individuals, (b) their likelihood, extent and seriousness. Determining the level of risk will help define actions in attempting to mitigate those risks. | |
8 | What type (ie Personal Data, Special Category Data, Criminal Offence Data) and volume of data is involved? | |
9 | How sensitive is the data? | Special Category Data? Of a very personal nature (eg health record) or sensitive because of what might happen if misused (banking details). |
10 | What has happened to the data? | eg if data has been stolen, it could be used for purposes which are harmful to the individuals to whom the data relate; if it has been damaged, this poses a different type and level of risk. |
11 | If the data was lost/stolen, were there any protections in place to prevent access/misuse? | eg encryption of data/device. |
12 | If the data was damaged/corrupted/lost, were there protections in place to mitigate the impact of the loss? | eg back-up tapes/copies. |
13 | How many individuals’ are affected by the breach? | |
14 | Who are the individuals whose data has been compromised? | Students, applicants, staff, customers, research participants, clients or suppliers? |
15 | What could the data tell a third party about the individual? Could it be misused? | Consider this regardless of what has happened to the data. Sensitive data could mean very little to an opportunistic laptop thief while the loss of apparently trivial snippets of information could help a determined fraudster build up a detailed picture of other people. |
16 | Is there actual/potential harm that could come to any individuals? |
eg are there risks to:
In addition, could the breach result in:
|
17 | Are there wider consequences to consider? | eg a risk to public health or loss of public confidence in an important service we provide? |
18 | Are there others who might advise on risks/courses of action? | eg If individuals’ bank details have been lost, consider contacting the banks themselves for advice on anything they can do to help you prevent fraudulent use. |
Notification | To consider any necessary notification of people and organisations. | |
19 | Determine whether the breach is reportable to the ICO. If so, ensure notification is made as soon as possible and within 72 hours of identification. | Breaches must be reported where risks to the rights and freedoms of data subjects are high. The DPO maintains processes for conducting risk assessments. |
20 | Determine whether data subjects need to be notified of the breach. | Where risks to individual rights and freedoms are high, data subjects must be informed directly and without undue delay. In addition, notification should be made where individuals could act on the information provided to mitigate risk (eg by changing a password or monitoring their account). |
21 | Consider the dangers of ‘over notifying’. | Not every incident will warrant notification “and notifying a whole 2 million strong customer base of an issue affecting only 2,000 customers may well cause disproportionate enquiries and work”. |
22 | Consider whom to notify, what you will tell them and how you will communicate the message. |
|
23 | Consider how notification can be made appropriate for particular groups of individuals. | eg children or vulnerable adults. |
24 | Are there any other legal, contractual or regulatory requirements to notify? |
eg terms of funding; contractual obligations; reporting responsibilities for researchers under University’s Research Misconduct Policy (s.2);2 service provider obligations under Privacy and Electronic Communications Regulations? |
25 | Consider, as necessary, the need to notify any third parties who can assist in helping or mitigating the impact on individuals. | eg police, insurers, professional bodies, funders, trade unions, website/system owners, bank/credit card companies. |
Evaluation and response | To evaluate the effectiveness of the University’s response to the breach. To learn and apply any lessons or remedies in the light of findings or experience. | |
26 | Establish where any present or future risks lie. | Department and Information Security Board. |
27 | Consider the data and contexts involved. | eg what data is held, its extent, sensitivity, where and how it is stored, how long it is kept. |
28 | Consider and identify any weak points in existing security measures and procedures. | eg in relation to methods of storage and/or transmission, use of storage devices, levels of access, systems/network protections. |
29 | Consider and identify any weak points in levels of security awareness/training. | Fill any gaps through training or tailored advice. |
30 | Ensure appropriate documentation is prepared in accordance with Article 33 (5) of the GDPR | The DPO maintains a template incident reporting form that is aligned to UK GDPR requirements. |
1 Based on 'Does the GDPR require us to take any other steps in response to a breach?' issued by the Information Commissioner’s Office.
2 Research misconduct, Academic misconduct and Research policies and code of practice.