Data Breach Policy
A personal data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This will include breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
It is a security incident that has affected the confidentiality, integrity or availability of personal data. Whenever a security incident takes place, it should be quickly established whether a personal data breach has occurred and, if so, promptly take steps to address it, including informing the ICO if required.
The ICO must be informed if the breach has resulted in a risk to people’s rights and freedoms; if this is unlikely then it does not have to be reported. However, if the breach has not been reported then the school should be able to justify this decision.
In assessing if a data breach has created a risk to people’s rights and freedoms then Recital 85 of the GDPR should be consulted.
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
If a data breach has occurred and this has been caused by a member of staff, the member of staff could be required to undertake additional training or this could lead to disciplinary action, including dismissal, depending on the nature of the breach.
Data Breach Process
- Data Breach reported to either head teacher or school data protection officer. Whichever is informed, they will inform the other with immediate effect
- Immediate action taken to contain the breach.
- Begin completion of the data breach document log by Data Protection Officer.
- Any actions from data breach document log carried out.
- Chair of Governors to be informed in a timely manner.
- Completed data breach document log signed off by both Head Teacher and Data Protection Officer and copies kept by both.