Data Breach Policy

From Wikimedia UK
Jump to navigation Jump to search
Comment This policy was adopted by the Board on 9 February 2013. It is part of a series of IT Security Policy.

Introduction

This policy has been drafted based on the Office of the Information Commissioner's guidance to organisations about to handle a data security breach.

Key Principles

  • That all staff and volunteers are aware of what constitutes a data breach
  • That improved awareness leads to a 'prevention rather than cure' approach by better safeguarding of data
  • That all staff and volunteers are confident of their responsibilities in respect of identifying and reporting a possible data breach
  • That the policy and appropriate testing of the policy during an annual security audit improve confidence of donors, members and other key stakeholders in Wikimedia UK's probity in managing and responding appropriately to a data breach.

What constitutes a data security breach

A non exhaustive list would include:

  • Loss or theft of data or equipment on which data is stored
  • Inappropriate access controls allowing unauthorised use
  • Equipment failure
  • Human error
  • Unforeseen circumstances such as a fire or flood
  • Hacking attack
  • Blagging’ offences where information is obtained by deceiving the organisation who holds it

Managing a data security breach

Identify the breach

  • The Chief Executive should be informed in writing immediately - preferably by email. This should set out the nature of the incident and those involved and the type of data potentially unlawfully accessible/accessed.
  • If the breach occurs or is discovered outside normal working hours, this should begin as soon as is practicable.
  • The Chief Executive may then chose to investigate the breach directly, or delegate to an appropriate member of staff (usually the Office and Development Manager or Fundraising Manager) who will be the alternate investigating officer.

Contain any continuing issue

The designated investigating officer must establish if the breach is current, and therefore if it can be halted or the effects minimised i.e. by shutting down systems, revoking access or informing staff responsible for the continuing cause of a breach.

Recovery and Damage limitation

The designated investigating officer must act promptly to identify the extent of the problem, what data has been at risk, and take appropriate steps to recover data and minimise risk. This could include:

  1. Informing the Police of stolen equipment
  2. Reporting and attempting to recover lost equipment
  3. Briefing Trustees and Staff as to the nature of the breach and to be mindful should they receive 'blagging' inquiries using said data.
  4. Informing the Communications Officer should inquiries from the Press be received
  5. Accessing of back-ups to replace lost or damaged data
  6. Contacting the bank or banks of account holders if account holder details have been unlawfully shared to prevent fraudulent use.
  7. If the data breach included entry codes or passwords, then these must be changed immediately, and involved users (members of staff or volunteers) informed.

Investigation

  • The designated investigating officer should ascertain whose data was involved in the breach, the potential effect on the data subject and what further steps need to be taken to remedy the situation.
  • The investigation should consider:
  • Type of data and its sensitivity
  • What protections are in place (e.g. encryption)
  • What has happened to the data
  • Whether the data could be put to any illegal or inappropriate use
  • How many people are affected
  • What type of people have been affected (Members, Donors, Staff etc) and whether there are wider consequences to the breach.
  • A clear record should be made of the nature of the breach and the actions taken to mitigate it on the Office Wiki.
  • The investigation should be completed urgently and wherever possible within 24 hours of the breach being discovered/reported. A further review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved.

Notification

  • Some people/agencies may need to be notified as part of the initial containment i.e. the Police, Banks, Server administrators etc.
  • The decision about whether to inform those whose data may have been unlawfully shared will normally be made once an investigation has taken place.
  • The Investigating Officer should, on seeking legal advice, decide whether anyone should be notified of the breach. In the case of significant breaches, the Information Commissioner’s Office (ICO) should be notified.
  • Every incident should be considered on a case by case basis. The following points provide guidance on whether notification is advisable:
  • Are there any legal/contractual requirements to notify?
  • Will notification help prevent the unauthorised or unlawful use of personal data?
  • Could notification help the individual – could they act on the information to mitigate risks?
  • Consider the dangers of over-notifying. Not every incident warrants notification and over-notification may cause disproportionate enquiries, concern and use of staff time.
  • The notification should include a description of how and when the breach occurred and what data was involved. Include details of what you have already done to mitigate the risks posed by the breach.
  • When notifying individuals, give specific and clear advice on what they can do to protect themselves and what you are willing to do to help them. You should also give them the opportunity to make a formal complaint if they wish.
Contacting the Information Comissioner's Office
  • If a large number of people are affected, or there are very serious consequences, you should notify the ICO. The ICO should only be notified if personal data is involved. There is guidance available from the ICO here
  • If in doubt, call the IOC helpline on 0303 123 1113 or 01625 545745 available between 9am and 5pm, Monday to Friday.

Review and Evaluation

  • Once any containment, investigation and, if appropriate, notification of the breach is over, the instigating officer should provide a report to the board via the office wiki considering both the causes of the breach and the effectiveness of the response to it.
  • If systemic or ongoing problems are identified, then an action plan must be drawn up to put these right. If the breach warrants a disciplinary investigation, this matter must be taken up by the chief executive in compliance with employee contracts or volunteer agreements.
  • This policy may need to be reviewed after a breach or after legislative changes, and as a matter of best practice should be reviewed annually alongside the Cardholder Data Security policy.