It is a requirement of the Data Protection Act (DPA) and ISO 27001 that we report all information security incidents and data breaches. These should be reported via the Information Security Breach Report Form that is available on the intranet. The GC Information Security Incident Reporting Procedure contains further information on what to do in the event of a security incident or breach.
An information security incident or breach can take a number of forms, including but not limited to:
- Lost or stolen documentation, computer devices, mobile phones etc.
- Sending personal data to an incorrect/unauthorised recipient (by accident or intentionally).
- Data that is deleted or altered without authorisation.
- Unauthorised personnel hacking or viewing data via our systems.
- Customers’ CVs or documents containing personal information stored on public use computers (e.g. within training rooms, job-search rooms etc.).
- Personal or company confidential information within offices not stored in locked cabinets or left unattended.
- Ineffective security controls.
- Breaches of physical security arrangements.
- Malfunctions of software or hardware.
- Information systems, databases or software applications being unavailable or inaccessible to authorised users when required.
- Information within systems, software applications or databases appearing to be inaccurate, outdated or transposed.
- Uncontrolled changes to our systems and access violations.
The DPA makes it clear that when any security incident involving personal data takes place, we need to quickly establish whether a personal data breach has occurred and, if so, we will need to promptly take steps to address it, including telling the Information Commissioner’s Office (ICO) or the data subject if required.
Failing to notify a breach to the ICO when required to do so can result in a significant fine - up to £8.7 million or 2 percent of our global turnover. Therefore, it is vital that you understand your personal responsibility to follow these guidelines and report any actual or potential data breach you come across, no matter how small or insignificant you feel it may be.
If you have any questions or would like to know more about how to report a security incident or data breach please contact Dee Beckett, our Data Protection Officer.