Data breach policy

This policy applies to all members of staff:

Whether you have an employment contract with us or work for us in some other capacity (e.g. contractor, work experience), you must abide by this policy.

This policy applies to all personal data that is collected, stored, used or is accessible by our business:

Personal data is any information which does (or could be used to) identify a living person. It does not matter whether their information is kept digitally or in hard-copy, or whether it is in writing or some other format.

Why we have this policy:

This policy forms part of a suite of data protection policies which describe some of our organisational measures to protect personal data. This policy explains how to recognise when something has gone wrong (there has been a data breach) and what you should do next.

Who checks this policy is enforced:

The Information Commissioner’s Office (ICO) is the UK regulator and is responsible for checking that businesses comply with data protection law. Gareth Malna is responsible for advising and monitoring our data protection in our business. Our senior management are responsible for making (and providing adequate resources to implement) any decisions, including whether to report a breach to the ICO.

How is this policy enforced:

The ICO handles complaints and can fine businesses that do not fulfil their data protection obligations. Our employment (and equivalent) contracts require our staff to abide by this policy and we may conduct a disciplinary investigation where this policy has not been followed.

dim-gunger-3emffQOvHxA-unsplash copy 1.png

Why do we have this policy?

This policy applies to all employees, directors, consultants or contractors of Zeyo Limited, company registered in England and Wales with company number 14490357 whose registered address is 7 Gay Street, Bath, BA1 2PH (we/us/our)

What is Data Breach?

You must be able to confidently recognise a data breach: You have a responsibility to recognise where there has been a data breach (and notify Gareth Malna) as soon as possible. A data breach is a security incident in which personal data has been accidentally or illegally:

Destroyed

The information has been permanently deleted (if it is electronic) or it has been damaged beyond use (hard copy, e.g. shredded and electronic, e.g. files corrupted) and there is no copy or other version of the information.

Lost

There is no clear evidence that the information has been destroyed but it cannot be found even after extensive searches. Even if the information is later found, there has been a data breach (albeit one that has been resolved).

Changed

The information has been changed maliciously (e.g. changing bank account details so funds redirected to an imposter) or by mistake (e.g. overwriting an address on a customer database).

Shared, accessed or used by someone who did not have permission

Information should only be shared, accessed and used by those who are authorised. This extends beyond malicious individuals (e.g. hackers committing cyber-attacks) and includes circumstances where information has been emailed to the wrong recipient or information has not been stored properly (e.g. disciplinary outcome letter found on photocopier).

What to do if you suspect there has been a data breach?

Let Gareth Malna know as soon as possible: we (as a business) have an obligation to record and investigate suspected data breaches within a strict deadline (72 hours, usually less if we use the information on behalf of other business customers). Do not wait to report a data breach, even if you are not sure whether it is real or not. It is always best to be cautious. You should report any suspected data breach by emailing hi@zeyro.one.

Provide as much detail as you can: the more information you can provide Gareth Malna, the better. Here are some examples of useful information:

How did you discover the issue;
What time did you discover the issue;
Have you taken any action;
What types of information are at risk;
Whose information is at risk; and
What kind of risk does it create for that person.

Gareth Malna will decide whether to report the breach to the ICO: once you have notified Gareth Malna, you do not need to take any further action (unless you receive a specific instruction, e.g. reset your password). It is the responsibility of Gareth Malna to investigate your report and suggest next steps to senior management. Senior management make the decision about whether the incident should be reported to the ICO or any other action should be taken.

If you fail to report a breach or suspected breach: failure to comply with this policy puts you and the business at risk and is a very serious issue. You may be liable to disciplinary action if you fail to comply with this policy.

What Gareth Malna will do in event of a data breach

Containment: The data breach team will identify how the breach occurred and take immediate steps to stop or minimise further loss, destruction or unauthorised disclosure of personal data.

Recovery: The data breach team will identify ways to recover, correct or delete data. This may include contacting the police, e.g. where the breach involves stolen hardware or data.

Notify: depending on the circumstances of the breach, there are a number of parties that may need to be notified. This includes:

The ICO (as mentioned above, where a breach is reportable to the ICO, this must be notified within 72 hours);
Individuals who either were or may be affected by the data breach;
The police if we suspect criminal activity;
Our other business contacts who may be involved; and
Our insurance providers.

Assess and Record: We will record any breaches in our data breach register. In order to assess the seriousness (including whether an ICO notification is required), Gareth Malna will assess the data breach based on the following factors.

The potential harm to the rights and freedoms of data subjects

This is the overriding consideration in deciding whether a breach of data security should be reported to the ICO. Detriments include emotional distress as well as both physical and financial damage.

The volume of personal data

There should be a presumption to report to the ICO where:

a large volume of personal data is concerned, and
there is a real risk of individuals suffering some harm

It will, however, be appropriate to report much lower volumes in some circumstances where the risk is particularly high.

The sensitivity of data

Even if there is only a small amount of personal data involved, but it has the capability to cause those individuals harm (including financial or distress), then there should be a presumption to report to the ICO.

This is most likely to be the case where the breach involves special category personal data. This includes personal data about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic information, biometric information, and information concerning an individual’s health, sex life or sexual orientation.

If the information is particularly sensitive, even a single record could trigger a report.

Preventing future breaches

Prevention is always better than cure: Data security concerns may arise at any time and we encourage you to report any concerns you have to Gareth Malna. This helps us capture risks as they emerge, protect our company from personal data breaches and keep our processes up-to-date.

Training: the key to prevent data breaches is staff awareness, we provide training to our staff.

Learning from experience: Once the personal data breach has been dealt with, in accordance with this plan, Gareth Malna will:

establish what security measures were in place when the breach occurred;
assess whether technical or organisational measures can be implemented to prevent the breach happening again;
consider whether there is adequate staff awareness of security issues and look to fill any gaps through training or tailored advice;
consider whether it is necessary to conduct a privacy risk assessment;
update the privacy risk register; and
debrief the senior management following the investigation.

If you have any questions about this policy

If you have any questions about this policy, please contact hi@zeyro.one.