Dealing with a Data Breach
This document is an overview of data protection requirements and aimed at Money Free Party workers, party activists, our Volunteers and any individual we authorise to view our member personal information. For fuller instructions about dealing with a data breach see the Information Commissioners’ Office website at: ico.org.uk
What is a personal data breach?
This is a breach of security that leads to the accidental, deliberate or unlawful “…destruction, loss, alteration, corruption, unauthorised disclosure of, or access to, personal data” held by the Money Free Party UK. Failing to report a breach to the ICO when requiring to do so can result in a heavy fine. Media and public attention and party member loss of trust and confidence to such a failure would probably have adverse outcomes.
What should the Money Free Party do?
- Establish whether a personal data breach has occurred. Be open and sincere and if applicable admit fault and responsibility.
- Decide how it should be handled and assess the risk involved referring to section IV of the Article 29 Working Party guidelines. Some breaches cause potentially significant materially loss and emotional stress, others just a small inconvenience. Each case must be assessed individually. Also refer to ICO guidance “Personal Data Breaches“
- If necessary employ 3rd party IT professionals.
- Document the the fault as laid out here and immediately report the incident to data supervisor, email@example.com. Reports should contain the fullest details possible.
- Task an initial assessment to mitigate and if applicable, describe solutions for affected users; we believe few people will care what caused the situation, but will care about what we are doing to put it right.
- Record event in the central log below, which will be monitored to track types of breaches and frequently recurring issues. Note this Log requests similar details to your fault documentation in 4 above (and 8 below should you report to ICO). You may wish to complete them all at the same time. Note also the reasoning for the Central Log which is being used not only as a quick, statistical and central reference to breaches but also as a method to identify recurring issues and /or similarities to previous events.
- Inform the Information Commissioners Office (ICO) within 72 hours if the breach is “….likely to result in a high risk of adversely affecting individuals’ rights and freedoms”. Guidance about what this means and when it is necessary to inform ICO here.
- Consider notifying individual(s) concerned. Not all data subjects need to be advised, if any at all. See ICO “When do we need to tell individuals about a breach” section, documented here.
- Educate to prevent issues happening in future.
Central Breach Log
1. ALL data breaches whether notifiable to ICO or not should be logged below
2. Press SUBMIT and the record will be emailed to firstname.lastname@example.org. Check that you have received a success message on screen to confirm your email has been sent. Use the Contact page to report any errors.
3. email@example.com will store the submission in a Central durable medium for unchanged future reference and easy retrieval
- ICO guide to what to do after a data breach
- ICO assess how UK political parties handle people’s personal data. Link to pdf document
- ICO guide for elected and prospective representatives and their staff, political parties and campaigners.
- Data privacy, protection and cyber security magazine CPO brief article about GDPR and political parties.
- UK-based digital campaigning organisation protecting rights to privacy
- ICO examples of data breaches and what to do