Data Protection Policy
The Data Protection Act 1998 (‘DPA 1998’) protects the rights of individuals to have their personal data collected and stored securely and used only for legitimate and lawful purposes for which their consent has been sought.
The General Data Protection Regulation 2016 (‘GDPR’) became part of UK law from 25th May 2018. The Data Protection Act 2018 (‘DPA 2018’) will replace the DPA1998. The GDPR updates the law taking into account technological changes. It improves the rights of individuals and increases the accountability of organisations.
This policy sets out how the Access Law Online Ltd (‘ALO’) complies with the Data Protection Act 1998, the GDPR and the DPA 2018.
ALO collects personal data for many reasons. We must process data to run our business and to provide the best possible service to our students. The kind of records that we keep of our students, staff (includes employees and temporary workers), and contractors are listed below (this is not an exhaustive list). We collect this data to allow us to meet statutory, regulatory and audit requirements, and to run our business effectively.
Students (including alumni)
Staff (including former staff)
Job application documents and forms
References received and given
Next of kin details for emergency contact
Payroll and tax information
Equality and diversity information
Planned and unplanned absence records including sickness records
Information provided by third parties
Medical and health information
Mitigating circumstances documents
Job performance and probation records
Academic misconduct information
Records relating to promotion or transfer
Training and development records
Record of service
Health and safety information
Records relating to accident or injury at work
Contact details and payment details
Passport and financial details
ALO holds, and processes, personal information and therefore registers with (“notifies”) the Information Commissioner as a “data controller”. The Information Commissioner is responsible for overseeing information legislation and will be the relevant supervisory authority under the DPA 2018.
You have the right:
- to ask ALO for a copy of your personal data (a data subject access request) as detailed in Appendix One.
- to object to processing that is causing you, or is likely to cause you, damage or distress;
- to object to communications or direct marketing;
- in certain circumstances to require us to correct or erase your personal data (this right is subject to the application of a public interest test); and
- to compensation for damages caused by a breach of the DPA 1998.
ALO will retain student data in accordance with the Records Management Policy.
You have the right to lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/concerns/
Where you exercise your right to erasure, we will continue to maintain in respect of past students a core set of personal data (name, subject(s), record of learning and achievement and award details, unique ALO identification number and date of birth) to ensure we do not contact you inadvertently in future, while still maintaining our record of your academic achievements. We may also need to retain some financial records about you for statutory purposes (e.g. Gift Aid, anti-fraud and accounting matters). We will apply the public interest test when considering any request to delete personal data.
Personal data means data which relates to a living individual who can be identified–
- from that data, or
- from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. It is important to note that, where the ability to identify an individual depends partly on the data held and partly on other information (not necessarily data), the data held will still be “personal data”. It also includes opinions about the individual.
The more expansive definition in the DPA 2018 includes online identifiers and provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
Sensitive personal data (or ‘special categories of personal data’ under the GDPR) relates to:
- the racial or ethnic origin of the data subject,
- their political opinions,
- their religious beliefs or other beliefs of a similar nature,
- whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
- their physical or mental health or condition,
- their sexual life,
- the commission, or alleged commission, by them of any offence, or
- any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the DPA 2018 depending on how difficult it is to attribute the pseudonym to a particular individual.
The categories of data are broadly drawn so that, for example, information that someone has a broken leg is classed as sensitive personal data, even though such information is relatively matter of fact and obvious to anyone seeing the individual concerned. Clearly, details about an individual’s mental health, for example, are generally more ‘sensitive’ than whether they have a broken leg. We will record any agreement to include sensitive data in records of conversations with students.
The responsibility of the Data Protection Officer (‘DPO’) is as follows:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and DPA 2018 and other relevant laws.
- To monitor compliance with the DPA 2018 and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, students etc)
ALO ensures that the DPO:
- Reports to the highest management level
- Operates independently and cannot be dismissed, or penalised, for performing their task
- Has adequate resources to enable them to meet the obligations under the DPA 2018
Consent under the DPA 2018 must be freely given, specific, informed and an unambiguous indication of an individual’s wishes. There must be some form of clear affirmative action – a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and there must be a simple way for people to withdraw consent.
The data controller (ALO) shall be responsible for, and able to demonstrate compliance with, the following principles:
This means that we must:
- have legitimate grounds for collecting and using your personal data;
- not use the data in ways that have unjustified adverse effects on the individuals concerned;
- be transparent about how we intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
- handle the personal data of both students, employees and contractors only in ways they would reasonably expect; and
- make sure we do not do anything unlawful with the data.
The lawful basis for the processing of data by ALO is that processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract and/or has been carried out with the consent of the data subject.
There are two specific areas where ALO will process special categories of personal data. These are where:
- processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of an employee or student, medical diagnosis, the provision of health or social care or a contract with a health professional or a nonmedical help supplier
- processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes
It shall not be further processed in a manner that is incompatible with those purposes but further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
4.3 Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
This means we must ensure that the personal data held is sufficient but that no more is held than we need. We will not hold information that we will never need but we may hold information for a foreseeable event that never occurs.
We will identify the minimum amount of personal data we need to properly fulfil our purpose. We will hold that much information, but no more.
Every reasonable step will be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
4.5 Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the DPA 2018 in order to safeguard the rights and freedoms of individuals
This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Security is a critical part of keeping information confidential. ALO take steps to ensure that all information is held securely both physically and electronically. Appendix Four details our security procedures and Appendix Five details the procedure for dealing with any breaches of information security.
There are two types of data sharing: systematic and exceptional
‘Systematic’ means a routine sharing of data or pooling of data.
‘Exceptional’ is one-off sharing (which might have to happen in an emergency)
When deciding whether to share data ALO will consider the following:
- What is the sharing meant to achieve? We will have a clear objective, or set of objectives. Being clear about this allows us to work out what data we need to share and who with. We will document this.
- What information needs to be shared? We won’t share all the personal data we hold about someone if only certain data items are needed to achieve our objectives.
- Who requires access to the shared personal data? We employ ‘need to know’ principles, meaning that other organisations should only have access to your data if they need it, and that only relevant staff within those organisations should have access to the data. This will also address any necessary restrictions on onward sharing of data with third parties.
- When should it be shared? Is this an on-going, routine process or should it only take place in response to particular events?
- How should it be shared? This involves addressing the security surrounding the transmission or accessing of the data and establishing common rules for its security.
- How can we check the sharing is achieving its objectives? We will judge whether it is still appropriate and confirm that the safeguards still match the risks.
- What risk does the data sharing pose? For example, is any individual likely to be damaged by it? Is any individual likely to object? Might it undermine individuals’ trust in us?
- Could the objective be achieved without sharing the data or by anonymising it?
- Do we need to update our notification?
- Will any of the data be transferred outside of the European Economic Area (EEA)?
Data will be shared routinely with the Scottish Qualifications Authority (SQA) and the Council for Licensed Conveyancers (CLC). When students register with us they consent to this sharing of data. Where data is shared routinely with other organisations a data sharing agreement will be in place.
These will, at least, document the following issues:
- the purpose, or purposes, of the sharing;
- the potential recipients or types of recipient and the circumstances in which they will have access;
- the data to be shared;
- data quality – accuracy, relevance, usability etc;
- data security;
- retention of shared data;
- individuals’ rights – procedures for dealing with access requests, queries and complaints;
- review of effectiveness/termination of the sharing agreement; and
- sanctions for failure to comply with the agreement or breaches by individual staff.
Is the format of the data being shared compatible? The format of the data being shared must be compatible with the systems used by all those sharing. We will check that information is held in the same way and that it is accurate. If we need to share data urgently, we will test how well the systems used for sharing the data work when it is not urgent.
Is the information we are sharing accurate? We will agree how any incorrect data will be corrected by all parties. Agree common retention and destruction arrangements for the data sent and received. Staff in the area affected will be sufficiently trained to know when to share data and in what circumstances
ALO complies with the Social Care Institute for Excellence guidelines on sharing information including compliance with the Prevent duty under the Counter-terrorism and Security Act 2015. Information will be shared with the right people at the right time to:
- Prevent death or serious harm
- Coordinate effective and efficient responses
- Enable early interventions to prevent the escalation of risk
- Prevent abuse and harm that may increase the need for care and support
- Maintain and improve good practice in safeguarding students
- Reveal patterns of abuse that were previously undetected and that could identify others at risk of abuse
- Identify low-level concerns that may reveal people at risk of abuse
- Help people to access the right kind of support to reduce risk and promote wellbeing
- Help identify people who may pose a risk to others and, where possible, work to reduce offending behaviour
- Reduce organisational risk and protect reputation
If you use the internet to carry out certain transactions with ALO, your computer will store small pieces of information, known as ‘cookies’, in its memory. Cookies cannot read your computer’s hard disk or make any information available to third parties. They are used so that we can easily recognise you when you return to our websites and, as a result, will enable us to provide you with a better service. We also track user traffic patterns in order to determine the effectiveness of our website. We do not release this information to third parties. If you prefer not to receive cookies while browsing our website, you can set your browser to refuse them. However, if you are a registered student with ALO you will need to allow “per-session” cookies in order to access password-protected sites.
If you have any queries or concerns about the handling of your personal data please contact the Data Protection Officer at: dataprotection@ALO.com
If you remain dissatisfied with the handling of your request or complaint, you have a right to appeal to the Information Commissioner. There is no charge for making an appeal.
Contact details are: The Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Telephone: 01625 545745 or 0303 123 1113 (local rate) or email: email@example.com
This policy is subject to review every 3 years
Signed by: …………………………………………….
Who can access information?
ALO will make sure that only people that need personal information can have access to it. An individual can make a “subject access request” about themselves. If a third-party requests information about an individual, the individual must give informed consent to the third party seeking that information. Sponsoring employers will have explicit consent to see the name, date of birth, unique ALO reference number, programme of study, progress and results of sponsored employees.
Personal information held on employees will only be disclosed to members of the HR department, their own line manager, or a senior manager where specific action is required. If an employee accesses another employee’s records without authority, this is deemed an act of gross misconduct under our disciplinary policy and is a criminal offence under section 55 of the DPA 1998.
To ensure that information is only disclosed to people who are entitled to see it the identity of the person requesting the information will be validated before disclosure. Prospective Student
When receiving a request for information by any means information will only be disclosed if the following checks are passed: Either
- a valid application number has been supplied.
- the name supplied matches the name held against the application.
- If an email address is supplied it must match to an email held against the application Or
- the following information is supplied and matches to an application: name, date of birth, programme applied for, approximate date of application (+/- 2 years).
When receiving a request for information by post or email information will only be disclosed if the following checks are passed:
- A valid student number has been supplied.
- The name supplied matches the name held against the student number.
- If an email address is supplied it must match to an email held against the student.
When a request for information is made over the phone the identity of the caller will be verified by:
- Obtaining a valid student number.
- Obtaining a name that matches to the student number.
- Obtaining the name of the programme they are studying.
- If there is any doubt the date of birth should also be checked to confirm identity.
If a student is unable to supply their student number then the following information should be supplied and should match to ALO’s records before disclosing the student number:
- Full name.
- Email address.
- Data of birth.
- Programme being studied
When receiving a request for information by any means information will only be disclosed if the following checks are passed:
- a valid student number has been supplied.
- the name supplied matches the name held against the student number.
- If an email address is supplied it must match to an email held against the student.
The following information is supplied and matches to ALO’s records:
- name when studied at ALO,
- date of birth,
- programme studied,
- approximate date of graduation (+/- 2 years).
Approved Third Party
This is when a student has given permission for a third party to access their information in writing and the approval has been verified as coming from the student. The third party must provide the following information in all communication and this must match to the information held against the student:
- Student number and/or date of birth
- Student name whilst registered as a student
- Third party name.
- Third party relationship with student.
- Signed/dated authorisation
Current Member of Staff
When receiving a request for information from a current member of staff the request must either come from the staff member’s email address or be made in a 1-1 meeting with the staff member, either verbally or by the handing over of a written request.
Past Member of Staff
When receiving a request for information from a past member of staff the person should be requested to supply a full name
Other Contact on Database
ALO holds information on suppliers, course delegates and other people who have worked with ALO or who are marketed to by ALO. If a request is received from one of these individuals for information by default provision of a name and address or name and email address that matches our records is viewed as sufficient information to identify them.
Making a subject access request
All staff members are trained in data protection as part of their induction and on an ongoing basis so will be able to recognise a request for personal data and will pass it immediately to the DPO.
How to make the request
The request should be in writing and should be made by the individual (the data subject) unless they have authorised a third party to make the request. The identity validation process set out above will ensure that personal information is only disclosed to someone who has the right to see it.
What you are entitled to
Subject access entitles an individual to more than just a copy of their personal data. An individual is also entitled to be:
- told whether any personal data is being processed – so, if we hold no personal data about the requester, we must still respond to you to let you know this;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; and
- given details of the source of the data (if known).
What we will do
The request will be logged in the Subject Access Request log on the SharePoint system. The log will record the date and time the request was received, who it was received from, the staff member who received the request and a reference number for the request will be allocated.
The DPA 1998 allows some discretion when dealing with requests that are made at unreasonable intervals. It says we are not obliged to comply with an identical or similar request to one we have already dealt with, unless a reasonable interval has elapsed between the first request and any subsequent ones. Although there is no statutory definition of a reasonable interval as it depends on factors such as how often the data is updated we will generally consider a reasonable interval to be within the last three months. A search of previous requests will be made to ensure that this is not a similar request to one made previously. Legal advice will always be sought if a request is to be refused. The DPA 2018 will have grounds for refusing on the basis of ‘manifestly unfounded or excessive’ requests.
The ‘disproportionate effort’ exception is in section 8(2) of the DPA 1998. The Court of Appeal has provided clarification as to its application in its 2017 judgments in the cases of Dawson-Damer & Ors v Taylor Wessing LLP  EWCA Civ 74 2 and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors; Deer v University of Oxford and University of Oxford v Deer. The DPA 1998 does not define ‘disproportionate effort’, but the court has determined that there is scope for assessing whether, in the circumstances of a particular case, complying with a request by supplying a copy of the requested information in permanent form would result in so much work or expense as to outweigh the requester’s right of access to their personal data. The courts have also made it clear that in assessing whether complying with a Subject Access Request would involve disproportionate effort under section 8(2)(a) we may take into account difficulties which occur throughout the process of complying with the request, including any difficulties we encounter in finding the requested information. If the request for information is very vague clarification can be sought as to what is being requested. If such clarification is sought this should be noted in the Subject Access log on SharePoint.
Finding the information
The DPO will coordinate the response but may need to contact the Information Champions in each area who will be responsible for searching the records in their area and providing the information to the DPO.
The time period for dealing with a SAR is 40 calendar days but this will be one month under the DPA 2018. ALO will endeavour to respond as soon as possible.
Format and exemptions
The DPO is responsible for deciding what information should be disclosed, what exemptions should be applied (see below) and what format the response should be sent in. ALO will try to provide information in the format which has been requested but cannot guarantee that this will always be possible or practical. Where exemptions are applied legal advice will be sought. Possible exemptions include (this list is not exhaustive and is subject to changes which will be made under the DPA 2018):
- References given (not received)
- Publicly available information
- Management information (such as restructuring or possible redundancies)
- Negotiations with the requestor
- Legal advice and proceedings
- Third party data (see Appendix Three for details)
Exemption for requests for information about the outcome
of academic, professional or other examinations These rules, which apply to requests for examination scripts, marks or markers’ comments, are designed to prevent the right of subject access being used as a means of circumventing an examination body’s processes for announcing results. Information comprising the answers given by a candidate during an examination is exempt from the right of subject access. A Subject Access Request (‘SAR’) cannot be used to obtain a copy of an individual’s examination script. Although this exemption does not extend to an examiner’s comments on a candidate’s performance in an examination (whether those comments are marked on the examination script or recorded on a separate marking sheet), or to details of the marks awarded, there is a special rule governing the time limit for responding to a Subject Access Request for such information in cases where the Subject Access Request is made before the results are announced. In such cases, a response must be provided within the earlier of: • five months of the date of the request; and • 40 days of the date on which the results are announced. Where a request is made for an individual’s examination marks, a response may only be refused (or delayed) for reasons permitted by the legislation. We would not refuse to provide details of examination marks in response to a Subject Access Request because the requester had failed to pay their tuition fees. Clearly, though, providing information about examination results is not the same as conferring a qualification.
Sending the information
A full audit trail will be maintained by the DPO of exemptions applied and how decisions about what should be disclosed have been taken.
When the information is sent the SAR log on SharePoint will be updated confirming date and time the information was sent. A copy of the information supplied will be retained by the DPO.
The Data Protection Act 1998/2018 says we do not have to comply with a Subject Access Request if to do so would mean disclosing information about another individual who can be identified from that information, except where:
- the other individual has consented to the disclosure; or
- it is reasonable in all the circumstances to comply with the request without that individual’s consent.
This will remain the case under the GDPR. Although we may sometimes be able to disclose information relating to a third party, we need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data. If the other person consents to us disclosing the information about them, it would be unreasonable not to do so. However, if there is no such consent, we must decide whether to disclose the information anyway.
Step 1 – Does the request require the disclosure of information that identifies a third party? Is it possible to comply with the request without revealing information that relates to and identifies a third-party individual? We must take into account the information we are disclosing and any information we reasonably believe the person making the request may have, or may get hold of, that would identify the third-party individual. The obligation is to provide information rather than documents, so we may delete names or edit documents if the third-party information does not form part of the requested information. However, if it is impossible to separate the third-party information from that requested and still comply with the request, we will take account of the following considerations. Step 2 – Has the third-party individual consented? In practice, the clearest basis for justifying the disclosure of third party information in response to a Subject Access Request is that the third party has given their consent. It is therefore good practice to ask relevant third parties for consent to the disclosure of their personal data in response to a Subject Access Request. However, we are not obliged to try to get consent and in some circumstances, it will clearly be reasonable to disclose without trying to get consent, such as where the information concerned will be known to the requester anyway. It may not always be appropriate to try to get consent, for instance if to do so would inevitably involve a disclosure of personal data about the requester to the third party. Step 3 – Would it be reasonable in all the circumstances to disclose without consent? In practice, it may sometimes be difficult to get third-party consent, e.g. the third party might refuse consent or might be difficult to find. If so, we
ALO Policy Data Protection Policy
© ALO 06/12/2017 V 6.00
Page 18 of 28
must consider whether it is 'reasonable in all the circumstances' to disclose the information about the third party anyway. The Data Protection Act 1998 provides a non-exhaustive list of factors to be taken into account when making this decision. These include: • any duty of confidentiality owed to the third-party individual; • any steps you have taken to try to get the third-party individual’s consent; • whether the third-party individual is capable of giving consent; and • any stated refusal of consent by the third-party individual. Confidentiality is one of the factors you must take into account when deciding whether to disclose information about a third party without their consent. A duty of confidence arises where information that is not generally available to the public has been disclosed to you in the expectation that it will remain confidential. The following relationships would generally carry with them a duty of confidence in relation to information disclosed. • Medical (doctor and patient) • Employment (employer and employee) • Legal (solicitor and client) • Financial (bank and customer) • Caring (counsellor and client) There will be new guidance from the ICO on Subject Access Requests at the end of 2017/beginning of 2018 and this policy will be amended to reflect this
ALO Policy Data Protection Policy
© ALO 06/12/2017 V 6.00
Page 19 of 28
Buildings We take the following measures to make sure the information we keep is secure within our buildings, and that unauthorised people cannot access it: • Controlled access to buildings • ID cards for staff • Intruder alarms • CCTV • Out of hours access policy • Visitors registered and escorted whilst in the building Documents The following guidance helps to keep documents secure: • Paper file covers are marked with “Confidential” plus “Human Resources”, “Financial”, “Legal” or “Administrative” to classify the contents and retention instructions • Strong passwords are used, at least seven characters, upper and lower case, using numbers and special keyboard characters (such as currency symbols) • Passwords are not shared • You should only be able to access the information you need to do your job. Please contact your manager if you come across personal data that is not secure. • If you hold confidential files keep them in a locked cabinet and never leave them in open trays or on desktops at the end of the day, or while you are away from your desk. • If you are away from your desk you should “lock” your computer. You can do this by pressing “ctrl + alt + delete” and then choosing “lock” (or start symbol and L). Staff are accountable for all computer activity and transactions made under their user ID, whether they are present or not. • Before a file is archived make a note of the date for destruction (or review) on the paper, or electronic, file. This should be x years from the date of closure of the file. • Files should be destroyed at the appropriate time under ALO’s document retention and destruction policy • Keys to any ALO property or equipment should be unmarked and kept in a secure key store.
Please also refer to the Remote Working Policy for further detailed advice on remote working and the use of laptops, mobile phones, tablets and memory sticks. Communications Many of the breaches of data security reported to the Information Commissioner involve issues with email and all staff must have regard to the following: • Consider whether the content of email should be encrypted or password protected
- Some email software “suggests” addresses as you type. Check which is the correct one. • Use blind copy, not carbon copy, if you do not want recipient’s email revealed to others • Be very careful with groups on email. Check the current listing before using. Does everyone in the group need to see the email? Is it appropriate? • If you send a sensitive email from a secure server to an insecure recipient, security will be threatened. Check the security of the recipient and whether there is a data sharing agreement in place. If necessary, agree a different way to send the information • Be wary of long email chains. There might be people at the beginning of the chain who should not see the email you are sending. • Be aware that email is an open system, and emails may have to be disclosed because of a Subject Access Request. Do not send an email which you would not be happy to have read out in open court.
Storage All staff are responsible for keeping a record of their work in accordance with agreed procedures. Staff can make use of social media for work purposes but must ensure that anything they contribute which has continuing value to the organisation is added to the organisation’s records. The boundaries between work and personal easily blur. If the communication relates to work it is corporate information which must be available to those who need that information. Emails sent, or received, from portable devices should be stored in the right place so those who need to see them can do so. When a file is opened there should be a review, or destruction, date which will either be when the file is closed, or a set period after closure. Whether the file is manual, electronic, or both, a review or destruction date should be clearly noted on the file. For “general” or “management” files these can be reviewed two years from creation with an assumption that both paper and electronic copies will be destroyed unless there is a clear reason why it should be kept. For archive purposes only one copy of most management files is required and will be maintained by the Executive Support Team Both electronic and paper files should be stored in systems allowing easy access to those who need to use those files. Files contain information that can be useful, possibly vital, for others to know. Equally files may contain sensitive personal data and should only be accessible to those who need to know. We have guidelines on storage of information and these should be followed All files should be stored securely. For detail on secure storage electronically and the use of laptops, tablets, mobile phones and memory sticks please refer to the Remote Working Policy. There is a document retention and destruction policy which should be complied with.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It can be about a breach of confidentiality, availability of data or integrity of data. All personal data breaches are security incidents. Not all security incidents are necessarily personal data breaches. Examples of data breaches are:
- Data is sent to the wrong person or files are left in a public area.
- IT equipment is lost or stolen. Even if the information is encrypted a potential information security breach has occurred and needs to be investigated
- Paper records are lost or stolen.
- Data is destroyed when it should not be.
- Data is damaged in some manner.
- Mobile technology is lost or stolen
What to do first
On becoming aware of a data security breach, ALO must be informed immediately. They will then log the issue in the Information Security Breach Log. As soon ALO have logged the breach they will attempt to contact the DPO as it is their responsibility to ensure that the breach is handled correctly. If the breach is serious (see definition of serious below) then the DPO should be contacted immediately by phone or in person. If they cannot be contacted then attempts should be made to contact the Principal or another member of the senior leadership team so that they are aware of the situation.
For a non-serious breach, so long as the DPO can be contacted within 24 hours there is no need to contact the Principal or another member of the senior leadership team.
An information security breach will be classified as serious if there is a likely risk to individuals as a result of the breach. Examples of a serious breach are:
- Data has been disclosed due to malicious action (e.g. a hacker has gained access to information)
- Electronic data on a number of people (students or staff) has been lost and it is unencrypted
- Information on a number of people has been disclosed and the information contains more than a simple list of names
- Disability, health or banking information has been disclosed for any individual
ALO should immediately attempt to establish the nature/risk of breach, as not all breaches will be significant, by establishing the following:
- What type of data is involved?
- Who is the data controller? If ALO has disclosed any information it is important, but if ALO is not the data controller then this means other organisations will need to be informed
- How sensitive is the data? – both in terms of the DPA and to the individuals.
- What damage could be caused to individuals?
- What data subjects have been affected?
- How many data subjects have been affected?
- What is the breach?
- What systems are affected?
- Where is the relevant information held?
- Any third parties involved? E.g. other data controllers or data processors
- Are there any wider consequences to consider? – for example physical safety
Once it is clear what has happened and what has been exposed then the first priority is one of containment. That is ensuring business continuity by deciding what immediate corrective action is required to close the breach. This should consider whether anything can be done to recover the loss and any steps to limit the damage. The actions taken will need to be documented.
We will notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify those concerned directly.
If communicating the most appropriate method of communication should be selected (post, email, phone) which will be influenced by:
- Quality of database – it is not possible to phone if no phone numbers exist
- Information to be provided – if forms are to be supplied the phone is not appropriate
The actual communication should contain the following:
- The nature of the breach including how and where it happened
- Name and contact details of the Data Protection Officer
- Likely consequences
- What data was involved
- The steps taken, or being taken, to mitigate any issues
- Steps data subject can take to avoid issues (e.g. resetting passwords)
- Links to/information on any further help available
Importantly it must be written in clear plain English and must be checked to ensure the communication is not going to compound the issue. A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.
A notifiable breach will be reported to the relevant supervisory authority within 72 hours of ALO becoming aware of it. The DPA 2018 recognises that it will often be impossible to investigate a breach fully within that time-period and allows for the provision of information in phases. If the breach is sufficiently serious to warrant notification to the public, ALO will do this without undue delay.
Record keeping and learning lessons
Throughout the process everything should be documented for the particular incident. This is vital as the ICO will expect to see documentary evidence that an investigation has been carried out.
These reports should be stored in the Data Protection File for six years. The Information Security Breach Log should be used to capture the top-level information and will be used as a summary and to ensure all actions have been closed. The detail on the breach and the activities taken to resolve it should be recorded as the breach is investigated and resolved.
There is a naming convention – including folder, title, date and initials to help with audit trail. The DPO is responsible for this.
All information security breach reports will be presented to the Senior Leadership Team at their next available meeting.