This policy describes how Orange Aero Limited will deal with a Data Breach.
The data controller is Orange Aero Limited, Unit O, Howland Road Business Park, Howland Road, Thame, Oxfordshire OX9 3GQ, 01844 260150.
A Personal Data Breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Access by an unauthorised third party
- Deliberate or accidental action (or inaction) by a controller or processor
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permission
- Loss of availability of personal data
Reporting an Incident
Any individual who accesses, uses or manages Orange Aero’s information is responsible for reporting data breach and information security incidents immediately to Julie Lines firstname.lastname@example.org. If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practical.
Containment and Recovery
We will determine if the breach is still occurring. If so, appropriate steps will be taken immediately to minimise the effect of the breach. An initial assessment will be made to establish the severity of the breach. We will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause. We will establish who we must notify as part of the initial containment. We will determine the suitable course of action to be taken to resolve the incident.
If personal data has been sent to someone not authorised to see it, we will tell the recipient not to pass the information on or discuss it with anyone else. The recipient must destroy or delete the personal data they have received and confirm in writing that they have done so. We will explain to the recipient the implications if they further disclose the data and where relevant, inform the data subjects whose personal data is involved what has happened.
Investigation and Risk Assessment
Once a breach has been discovered / reported we will investigate it as soon as possible. We will assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
The investigation will need to take into account the following:
- The type of data involved and its sensitivity
- What security measures are in place
- Whether the data has been lost or stolen
- Whether the data could be put to any illegal or inappropriate use
- Who the data subjects are and the potential effect on them
- Whether there are any wider consequences to the breach
Notifying the ICO of a Personal Data Breach
If a data breach is likely to result in a risk to people’s rights and freedoms then we must notify the ICO; if it’s unlikely then we don’t have to report it. If we decide we don’t need to report the breach, we need to be able to justify this decision, and we should document it.
Notifiable breaches must be reported to the ICO without undue delay, and within 72 hours of becoming aware. If we don’t comply with this requirement, we must be able to give reasons for the delay. In some instances it will not always be possible to investigate a breach fully within 72 hours, where that applies we should provide the required information in phases, as long as this is done without undue further delay.
Breach Information the ICO Require
When reporting a breach to the ICO, we will provide the following information:
- Details of the personal data breach including the categories (whether the data relates to employees, customers, suppliers etc) and approximate number of individuals concerned and personal data records concerned
- Details of the likely consequences of the personal data breach
- Details of the steps taken, or proposed to be taken, including action taken to mitigate any possible adverse effects
Notifying Individuals of a Personal Data Breach
Where notification to individuals may also be required, we will evaluate the severity of the potential impact on individuals and the likelihood of this occurring. Where there is a high risk, we will inform those affected as soon as possible, especially if there is a need to mitigate an immediate risk of damage to them.
We will notify the individuals of the likely consequences of the personal data breach and the steps taken, or proposed to be taken, including action taken to mitigate any possible adverse effects.
The breach need not be reported to individuals if:
- We have implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach
- We have taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise
- It would involve disproportionate effort (in this case a public communication may be more appropriate).
In the case of a breach affecting individuals in different EU countries, we are aware that the ICO may not be the lead supervisory authority. Where this applies, we will establish which European Data Protection Agency would be the lead supervisory authority for the processing activities that have been subject to the breach.
In certain instances we may need to consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals.
Evaluation and Response
Once the initial incident is contained, we will carry out a full review of the causes of the breach, the effectiveness of the response and whether any changes to systems, policies and procedures should be undertaken. Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
The Review will Consider:
- Where and how personal data is held and where and how it is stored
- Where the biggest risks lie, and will identify any further potential weak points within its existing measures
- Whether methods of transmission are secure; sharing minimum amount of data necessary
- Identifying weak points within existing security measures
- Staff awareness
Date of Last Review – May 2019
Review Frequency – 1 year
Review Date – May 2020