This Data Breach Policy relates to procedures to follow

Introduction

As an organisation that processes personal data TVision Technology Ltd. must ensure appropriate measures are in place to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data in the case of a data breach as per this policy. The General Data Protection Regulation specifies that all breaches (except those ‘unlikely to result in a risk to the rights and freedoms of natural persons) should be reported to the Information Commissioner ‘without undue delay…not later than 72 hours after having become aware of it’.

In the event of a data breach or an information security incident, it is vital that appropriate actions are taken to promptly report the breach to the Data Protection Officer who will manage the incident and minimise any associated risks.

Purpose of this process

This procedure is designed to set out the process that should be followed to ensure a consistent and effective approach is in place for managing a data breach across the organisation and ensure that:
• Data breach events are detected, reported and monitored consistently
• Incidents are assessed and responded to appropriately
• Action is taken to reduce the impact of a breach
• Relevant breaches are reported to the Information Commissioner within the 72 hour window
• Improvements are made to prevent recurrence
• Lessons learnt are communicated across the organisation

Responsibilities of TVision

Directors

The Directors of the organisation have responsibility for ensuring that any privacy risks are managed to prevent a data breach.

All Employees

All users of information assets across the organisation should familiarise themselves with this procedure. They should be aware of privacy risks, and be vigilant in order to ensure breaches are identified, reported and managed in a timely manner.

At TVision we have an open and honest culture where people feel comfortable to report mistakes. Support will be provided to ensure everyone has access to the appropriate skills and training to carry out their role effectively. However, gross negligence and intentional violations (including not reporting incidents/mistakes) are taken seriously and will lead to disciplinary action.

Reasons for a Personal Data Breach or Suspected Personal Data Breach

A personal data breach can happen for a number of reasons, for example:
• Loss or theft of data or equipment on which data is stored, or through which it can be accessed
• Loss or theft of paper files
• Hacking attack
• Inappropriate access controls allowing unauthorised / unnecessary access to data
• Equipment failure
• Human error
• Unforeseen circumstances such as a fire or flood

Reporting an Incident

It is vital that as soon as a Personal Data Breach is identified or suspected it is immediately reported to the Data Protection Officer. In order to improve our understanding of the risks to data and address them before breaches occur we would also encourage individuals to report ‘near misses’ (i.e. incidents which have almost resulted in a data breach except for an intervention or ‘luck’). Near misses should be reported using the same form and process as an actual breach highlighting clearly that the incident is a near miss. The General Data Protection Regulation requires that all relevant breaches are reported to the supervisory authority (the Information Commissioner) ‘without undue delay….., not later than 72 hours after having become aware of it’.

As much information as is immediately available should be collated. The Personal Data Breach Notification Form (which can be supplied on request) should be completed and emailed to data_protection@tvisiontech.co.uk as soon as possible and within twelve hours of the breach being identified at the very latest.

The Data Protection Officer will analyse the form, update the Personal Data Breach Log and ascertain whether any immediate corrective/containment/escalation actions are required.

Investigating an Incident

Depending on the type and severity of the incident the Data Protection Officer will assess whether a full investigation into the breach is required.

Where required, the Data Protection Officer will appoint an appropriate investigation team who will complete a full breach report.
The investigation will:
a) Establish the nature of the incident, the type and volume of data involved and the identity of the data subjects
b) Consider the extent of a breach and the sensitivity of the data involved
c) Perform a risk assessment
d) Identify actions the organisation needs to take to contain the breach and recover information
e) Assess the ongoing risk and actions required prevent a recurrence of the incident.

Reporting Breach to the Information Commissioner or Data Subject

The Data Protection Officer will co-ordinate breach reporting to the Information Commissioner within 72 hours of becoming aware of a relevant breach. They will also evaluate whether the breach is ‘likely to result in a high risk to the rights and freedoms’ of the data subject/s.

If this is determined to be the case the incident it will also be reportable to the data subject/s without undue delay. Any such report will be coordinated by the Data Protection Officer, assistance will be required from other teams across the business including but not limited to Marketing, Support and Finance. Assistance should be made available immediately when requested.

Policy Review

The Personal Data Breach Log will be reviewed on a regular basis by the Management Team who will determine whether any updates to Policy and Procedures are required, and co-ordinate any training and communications messages from the lessons learnt.

Associated documents and policies

This policy is to be read in conjunction with the related policies:
• Anti-bribery Policy
• Contact Promise
• Cookie policy
• Corporate Social Responsibility Policy
• Equal Opportunities Policy
• GDPR Principles
• Privacy Policy

Definitions of terms used in this policy

Personal Data

‘Personal data’ means any information relating to an identified or identifiable person (‘data subject’). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person

Personal data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Special Category Data

Data which requires extra care and precautions to be taken in its processing and which details or consists of:
a. The racial or ethnic origin of the subject
b. Their political opinions
c. Their religious or philosophical beliefs
d. Whether they are a member of a trade union
e. Processing of genetic data
f. Processing of biometric data
g. Data concerning health
h. Their sexual life/sexual orientation

GDPR

General Data Protection Regulation – a regulation by the European Parliament intended to strengthen and unify data protection for individuals. It came into force in the UK on 25 May 2018. Read about our GDPR Principles here.

Approval

This data breach policy was approved by the directors of TVT Group Limited on 19/11/2019.