Data Breach Policy/Proposed revisions June 2014

From Wikimedia UK
Jump to navigation Jump to search
A newspaper This page is still a draft and is not finalised. Feel free to edit it.


This policy has been drafted based on the Office of the Information Commissioner's guidance to organisations about to handle a data security breach.

Key Principles

  • That all staff and volunteers are aware of what constitutes a data breach
  • That improved awareness leads to a 'prevention rather than cure' approach by better safeguarding of data
  • That all staff and volunteers are confident of their responsibilities in respect of identifying and reporting a possible data breach
  • That the policy and appropriate testing of the policy during an annual security audit improve confidence of donors, members and other key stakeholders in Wikimedia UK's probity in managing and responding appropriately to a data breach.

What constitutes a data security breach

A non exhaustive list would include:

  • Loss or theft of data or equipment on which data is stored
  • Inappropriate access controls allowing unauthorised use
  • Equipment failure
  • Human error
  • Unforeseen circumstances such as a fire or flood
  • Hacking attack
  • Blagging’ offences where information is obtained by deceiving the organisation who holds it

Managing a data security breach

Identify the breach

  • The Chief Executive should be informed in writing immediately - preferably by email. This should set out the nature of the incident and those involved and the type of data potentially unlawfully accessible/accessed.
  • If the breach occurs or is discovered outside normal working hours, this should begin as soon as is practicable.
  • The Chief Executive may then chose to investigate the breach directly, or delegate to an appropriate member of staff (usually the Office and Development Manager or Fundraising Manager) who will be the alternate investigating officer.

Contain any continuing issue

The designated investigating officer must establish if the breach is current, and therefore if it can be halted or the effects minimised i.e. by shutting down systems, revoking access or informing staff responsible for the continuing cause of a breach.

Recovery and Damage limitation

The designated investigating officer must act promptly to identify the extent of the problem, what data has been at risk, and take appropriate steps to recover data and minimise risk. This could include:

  1. Informing the Police of stolen equipment (Staff and Trustees refer to staff guide on office wiki)
  2. Reporting and attempting to recover lost equipment
  3. Briefing Trustees and Staff as to the nature of the breach and to be mindful should they receive 'blagging' inquiries using said data.
  4. Informing the External Relations Officer should inquiries from the Press be received
  5. Accessing of back-ups to replace lost or damaged data
  6. Contacting the bank or banks of account holders if account holder details have been unlawfully shared to prevent fraudulent use.
  7. If the data breach included entry codes or passwords, then these must be changed immediately, and involved users (members of staff or volunteers) informed.


  • The designated investigating officer should be guided by the standards set out in the ICO's guidance on data security breach management.
  • A clear record should be made of the nature of the breach and the actions taken to mitigate it on the Office Wiki by uploading a copy of the notification form.


  • Some people/agencies may need to be notified as part of the initial containment and as a matter of urgency i.e. the Police, Banks, Server administrators etc.
  • The Investigating Officer must arrange for notification of the breach to the Information Commissioner’s Office (ICO) within 24 hours of becoming aware of the essential facts of the breach using the standard notification form.
Contacting the Information Commissioner's Office
  • If in doubt, call the ICO helpline on 0303 123 1113 or 01625 545745 available between 9am and 5pm, Monday to Friday.

Review and Evaluation

  • Once any containment, investigation and notification of the breach is over, the instigating officer should provide a report to the board via the office wiki considering both the causes of the breach and the effectiveness of the response to it.
  • If systemic or ongoing problems are identified, then an action plan must be drawn up to put these right. If the breach warrants a disciplinary investigation, this matter must be taken up by the chief executive in compliance with employee contracts.
  • This policy will be reviewed annually as a part of the charity's standard procedures.