Orange Aero / News
Personal Data Breach Policy
Date of Last Review – May 2024
Review Frequency – 1 year
Review Date – May 2025
This policy describes how Orange Aero Limited will deal with a Personal Data Breach.
The Data Controller is Orange Aero Limited, Unit O, Howland Road Business Park, Howland Road, Thame, Oxfordshire, OX9 3GQ, 01844 260150.
The GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
A breach of personal data is a type of security incident and falls into one of three categories:
-
‘Confidentiality breach’ – an unauthorised or accidental disclosure of, or access to, personal data.
-
‘Integrity breach’ – an unauthorised or accidental alteration of personal data.
-
‘Availability breach’ – an accidental or unauthorised loss of access to, or destruction of personal data.
A breach may concern the confidentiality, integrity, and availability of personal data at the same time, or any combination. It can be a result of both accidental and deliberate causes.
Personal data breaches can include:
-
Access by an unauthorised third party
-
Deliberate or accidental action (or inaction) by a controller or processor
-
Sending personal data to an incorrect recipient
-
Computing devices containing personal data being lost or stolen
-
Alteration of personal data without permission
-
Loss of availability of personal data
When a personal data breach has occurred, we will assess the likelihood and severity of the resulting risk to the rights and freedoms of the individuals involved. If it is likely that there will be a risk then we are required by law to notify the ICO.
Reporting an Incident
Any individual who accesses, uses, or manages Orange Aero’s information, is responsible for reporting personal data breaches and information security incidents immediately to Sharon Mills smills@orange.aero. If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practical.
Containment and Recovery
We will determine if the breach is still occurring. If so, appropriate steps will be taken immediately to minimise the effect of the breach. An initial assessment will be made to establish the severity of the breach. We will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause. We will establish who we must notify as part of the initial containment. We will determine the suitable course of action to be taken to resolve the incident.
If personal data has been sent to someone not authorised to see it, we will tell the recipient not to pass the information on or discuss it with anyone else. The recipient must destroy or delete the personal data they have received and confirm in writing that they have done so. We will explain to the recipient the implications if they further disclose the data and where relevant, inform the data subjects whose personal data is involved what has happened.
Investigation and Risk Assessment
Once a breach has been discovered / reported we will investigate it as soon as possible. We will assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are, and how likely they are to occur.
The investigation will need to take into account the following:
-
The type of breach
-
The type of data involved, the nature, sensitivity and volume of the personal data
-
How easy it is to identify individuals
-
The severity of consequences for individuals
-
What security measures are in place
-
Whether the data has been lost or stolen
-
Whether the data could be put to any illegal or inappropriate use
-
Whether there are any wider consequences to the breach
A breach is likely to result in a risk to the rights and freedoms of individuals if it could result in physical, material or non-material (ie emotional) damage. In particular:
-
Loss of control over personal data
-
Limitation or deprivation of individuals’ rights
-
Discrimination
-
Identity theft or fraud
-
Financial loss
-
Damage to reputation
-
Unauthorised reversal of pseudonymisation
-
Loss of confidentiality of personal data protected by professional secrecy
-
Any other significant economic or social disadvantage
Notification to the ICO
As a result of this assessment, if we believe that there is a risk to the rights and freedoms of the individual(s), we will notify the Information Commissioner’s Office, as required under the GDPR. If we are in any doubt, we will always err on the side of caution and identify the ICO.
Where we assess a breach is reportable to the ICO, we must make this report without undue delay, and where feasible, not later than 72 hours after becoming aware of the breach.
As a minimum, we must include in our notification:
-
A description of the nature of the personal data breach, including, where possible
-
Categories and approximate number of individuals concerned
-
Categories and approximate number of personal data records concerned
-
-
Name and contact details of the DPO
-
Description of the likely consequences of the personal data breach
-
Description of the measures that have been, or will be taken, to deal with the breach and mitigate any possible adverse effects on the individual(s) concerned.
Notifying Individuals of a Personal Data Breach
Where a data breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected individuals as soon as possible. We will provide:
-
A description of the nature of the breach
-
The name and contact details of the DPO
-
A description of the likely consequences of the breach
-
A description of the measures taken or proposed to be taken, by the trust to address the breach and mitigate any possible adverse effects.
We will also consider that specific advice we can provide to individuals to help them protect themselves, such as resetting passwords where access credentials have been compromised.
In the case of a breach affecting individuals in different EU countries, we are aware that the ICO may not be the lead supervisory authority. Where this applies, we will establish which European Data Protection Agency would be the lead supervisory authority for the processing activities that have been subject to the breach.
Third Parties
In certain instances, we may need to consider notifying third parties such as the police, insurers, professional bodies, banks, or credit card companies who can assist in reducing the risk of financial loss to individuals.
Evaluation and Response
Once the initial incident is contained, we will carry out a full review of the causes of the breach, the effectiveness of the response and whether any changes to systems, policies and procedures should be undertaken. Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
The Review will Consider:
-
Where and how personal data is held and where and how it is stored
-
Where the biggest risks lie, and will identify any further potential weak points within its existing measures
-
Whether methods of transmission are secure; sharing the minimum amount of data necessary
-
Identifying weak points within existing security measures
-
Staff awareness