Assemble the security breach team
It is a good idea to put in place a security breach management team (SB Team) and to nominate deputies, in case the primary members of the SB Team are not available when a breach occurs. The Information Commissioner's Good Practice Note: Guidance on data security breach management (Data Breach GPN), advocates data controllers put in place an SB Team to deal with personal data security breach incidents.
The SB Team must be trained in advance to understand their role in managing the security breach. Dealing with a breach quickly can limit the damage that it causes. The precise membership of the SB Team will depend on the structure of the organisation, but all members need to be clear about who is taking ultimate responsibility.
An SB Team should include at least one senior officer, so that decisions can be made and acted on swiftly. This approach is consistent with the Cabinet Office Data Handling Procedures in Government: Final Report (June 2008) (Report), which states that senior level ownership of information is a key factor in success, demonstrates the importance of the issue and is critical in obtaining resource. In addition, the Data Breach GPN recommends accountability for security breach management at a senior level. Individuals from areas such as Human Resources, Personal Representation, IT, security (IT and physical) and legal and compliance officers with appropriate seniority should also sit within the SB Team.
Investigate the facts
The data security breach should be investigated to determine:
PLC - Personal data security breach management: checklist Page 1 of 5
- The nature and cause of the breach
- The extent of the damage or harm that results or could result from the breach.
For further information, see Practice note, Personal data security breach management in the public sector.
Stop or mitigate the breach
Take action to stop the data security breach from continuing or recurring and mitigate the harm that may continue to result from the breach.
If the Information Commissioner is notified or becomes involved in a data security breach, he will want to know what has been done to stop or mitigate the breach and what the data controller will do to ensure future compliance with Principle 7 of the Data Protection Act 1998 (Security Principle) (see Practice note, Personal data security breach management in the public sector. For further information on the Information Commissioners powers to obtain information and take enforcement action, see PLC IPIT & Communications, Practice Note, Overview of UK data protection regime.
Determine the identity of the date controllers
Determine the identity of the data controller for the purpose of the data security breach. The data controller is the party that determines the purpose for, and manner in which personal data is processed. Which party or parties this applies to may not always be obvious.
In some cases public bodies may process personal data for purposes determined by another public body or allow a service provider or other party to determine the manner in which personal data is processed. This may make the identity of the data controller difficult to ascertain.
There may be more than one data controller, particularly where, for example, shared services are involved. It is also common in relation to pensions data, for both the public body employer and the pension trustees to be data controllers for the same personal data.
Where there is more than one data controller, both parties may be liable for breach of the Security Principle.
Consider who needs to be notified
The data controller will need to consider which parties should be notified. These could include:
The Information Commissioner There is no express obligation in the Data Protection Act 1998 to notify the Information Commissioner in the event of a data security breach. However, the Data Breach GPN recommends that serious data security breaches are notified.
A serious data security breach is described in the Data Breach GPN as a breach:
- that could cause significant threat of harm to individuals;
- where large volumes of data are involved (generally 1000 people);
- where sensitive data is involved, such as financial or medical records or unencrypted personal data.
In practice, data controllers should consider that a third party may notify the Information Commissioner if they do not. The Information Commissioner is subject to the Freedom of Information Act 2000, as is the public sector data controller. However, it may be more likely that information requests on data security breaches are made to the Information Commissioner, for example, in the form of fishing attempts by journalists.
Other data controllers. If there are other data controllers of the personal data in question, you may want to notify them (although this is not a legal obligation under the Data Protection Act 1998).
Insurers. Notification of potential claims may be an insurance policy requirement.
Data subjects. In the Data Breach GPN, the Information Commissioner cautions that data subjects should not be notified of a data security breach unless there is a reason for doing so. Data controllers should instead consider whether the data subject will benefit from knowing about the data security breach, involving their personal data, for example, by being able to change passwords or bank accounts to help prevent potential fraudulent use of the data. The Information Commissioner also suggests that data controllers may wish to consider providing data subjects, whose personal data security is at risk, with assistance in dealing with practical issues, such as identity fraud checking services.
The Cabinet Office. The report, which applies to central government bodies, requires the reporting of security incidents. The report refers to the introduction of reporting mechanisms, such as annual reporting, unless public announcement would best serve those affected by the breach, in the event of serious breaches that Ministers think need immediate accountability to Parliament. The Cabinet Office favours this approach so as not to create a culture of blame and over-cautiousness.
Cross Government Actions: Mandatory Minimum Measures (June 2008) (Guidance) published by the Cabinet Office, also requires notification and states that incidents should be reported to incident management schemes (GovCERTUK for network security incidents and The Communications and Cryptographic Incident Notification, Reporting and Alerting Scheme (CINRAS) for incidents involving cryptographic items). The guidance also states that significant actual or potential losses of personal data should be shared with the Information Commissioner and the Cabinet Office.
Check the contract
Consider whether the data security breach has been caused by another data controller (for example, where personal data has been made available to another data controller for the purposes of joined up or shared services) or whether it has been caused by a data processor. If so, consider whether there are contract terms in place.
Where the data security breach has been caused by a data processor, the public body data controller should consider their contract with the data processor, and in particular:
- Are the data protection and data security obligations in the contract appropriate for the purposes of compliance with the Security Principle?
- Does the data controller have a claim or any liability for breach of a specific data protection or security obligation?
- In the absence of any specific data security provisions consider whether there may be a claim or any liability for breach of confidence or a failure to take reasonable skill and care.
- Does the breach give rise to a right to claim damages? If so, is the value of the claim limited by the contractual limit of liability? Many contracts carve out claims for loss of data and damage to reputation from the limitation and exclusions of liability provisions.
- How will the claim for damages be quantified? Do liquidated damages or service credits apply? Are the costs incurred as a result of the breach recoverable? Is the data controller able to pass on any liability it may have following the sanctions taken by the Information Commissioner to the data processor?
- Does the breach give rise to a right to terminate the contract? In many contracts the breach of data security clauses will give rise to an express right to terminate.
- In the absence of an express right to terminate, consider whether the breach is sufficiently serious to give rise to the right to terminate the contract at common law for repudiatory breach. Whether such a right can be exercised will depend upon how serious the security breach is and its impact upon the parties' ability to continue to perform their contractual obligations.
- Does the data security breach trigger any other aspects of the contract, such as audit rights or the implementation of business continuity and disaster recovery plans?
- Are there are any specific contractual administration matters that need to be observed to preserve rights, such as compliance with notice provisions or prescribed alternative dispute resolution procedures?
Does disciplinary action need to be taken?
Data controllers will need to review the actions of employees who cause data security breaches and decide whether disciplinary action is appropriate. This will involve consideration of:
- Any constitutional requirements of the organisation or any statutory requirements that may affect the way that the disciplinary process is conducted.
- The organisation's disciplinary policies and other relevant policies, such as data protection policies, IT and internet use policy and security policies to determine the extent to which the employee has breached their express contractual provisions.
- Whether the employee had received adequate training and guidance on data protection and security responsibilities and ought reasonably to have been aware of the employer's expectations and the consequences of breaching them.
- Whether there has been any breach of statute that could justify immediate suspension or summary dismissal, this is more likely to be relevant to senior members of public sector organisations. Where disciplinary action is appropriate, this must be conducted in accordance with the statutory dismissal and disciplinary procedures and the organisation's own disciplinary procedure. For more information, see PLC Employment Practice notes, Statutory dismissal and disciplinary procedures and Conducting a disciplinary investigation and hearing.
Audit of security appropriateness and the need to make necessary improvements
An investigation should take place and include a review of whether appropriate security policies and procedures were in place and if so, whether they were followed.
Where one or more data processors may have caused the breach, consider whether adequate contractual obligations were in place to comply with the Security Principle and if so, whether the data processor(s) is in breach of contract.
Where security is found not to be appropriate for the purpose of the Security Principle, consider what action needs to be taken to raise data protection and security compliance standards to those required by the Security Principle. If the Information Commissioner is notified or becomes involved in a data security breach, he is likely to request this information.