First version: 2021-04-15
Last updated: 2023-10-19
Last change: Link to Data Protection policy
Last reviewed: 2024-10-30
Introduction
Every care is taken by anDREa to protect personal data from situations where a data protection breach could compromise security.
This policy and procedure applies to all staff, partners, (sub)contractors, tenants, and users or third parties we work with. It should be read in conjunction with the anDREa’s
Data Protection Policy.
The objective of this policy is to enable staff to act promptly to contain any breaches that occur, minimizing the risk associated with the breach and to take action if necessary to secure personal data and prevent further breaches.
anDREa expects its staff and delegated people to embed security and prevention practices in their normal working day to ensure personal, or special category, data is protected for the purposes of Workspaces in the Shared Tenant of anDREa and must take appropriate steps to safeguard this information.
Under the Data Protection Act, although there is no legal obligation on data controllers to report breaches of security, the new General Data Protection Regulation (GDPR) means we have to report any breach that is likely to impact on data subjects. The procedure below is set out to help identify when a breach has taken place and what the action should be.
Definitions
Data Breach Procedure
1 Identifying and Reporting a Data Breach
If you discover a data breach, establish whether is related to:
- anDREa user data/accounts
- data in a Workspace accessed or accessible by unauthorized people or services
- (study) data accessed or accessible by unauthorized people or services other than via a Workspace
When #3 is applicable, please contact the Chief Technology Officer (CTO) of the responsible Tenant and/or the person responsible for that data. If this is impossible, please contact anDREa’s Data Protection Officer:
Contact information
When #1 or #2 is applicable you must report this to anDREa’s Chief Technology Officer (CTO) immediately.
anDREa’s Data Protection Officer is Stefan van Aalst and any breach, or suspected breach, can be sent for his attention via:
Contact information
All breaches big or small, regardless of the harm or potential harm, should be identified and reported.
False alarms or even breaches that do not cause any harm to individuals or to anDREa should nevertheless be reported as it will enable anDREa to learn lessons in how to respond and the remedial action that we put in place.
We have a legal obligation to keep a register of all data breaches. Please ensure that you report any breach, even if you are unsure whether or not it is a breach.
It is the responsibility of the DPO, not yours, to report to the authorities.
anDREa is not obliged to have a Data Protection Officer (DPO), the DPO responsibilities fall under the responsibilities of anDREa Chief Technology Officer (CTO)
2 Investigating the Data Breach
When you report a data breach to the CTO, they will promptly investigate the breach to ascertain whether we are fully aware that a breach has occurred leading to personal data being compromised for our data subjects.
The investigation will be done within 48 hours of a breach being reported to anDREa, so that it can ensure it complies with the 72 hour deadline to report any data subject or serious security breaches in a timely way to the CTO data breach may result in disciplinary action.
3 Assessing the Data Breach
Once you have reported a breach and our CTO has investigated it and has decided that we are aware that a breach has occurred, CTO will log the breach in our Data Breach Register and will carry out an initial assessment of the breach to evaluate its severity.
Once the level of severity is known, our CTO will notify management. If necessary, we will appoint a response team which may involve for example our HR and IT teams and we will assign responsibility for particular tasks as necessary across the response team.
We will then investigate the breach and consider any on-going risks to anDREa and any individuals affected. If our CTO and management consider that the breach is very serious, they will consider the impact on our reputation and the effect it may have on the trust placed in us.
Our CTO and senior management will investigate the breach and consider a recovery plan, if required, to minimise the risk to individuals. As part of the recovery plan, our CTO and senior management may interview any key individuals involved in the breach to determine how the breach occurred and what actions have been taken.
Unless the breach is unlikely to impact on data subjects or result in a risk to the rights and freedoms of individuals, we must notify the breach to the AP within 72 hours of becoming aware of the breach. We must also notify the individuals concerned as soon as possible where the breach is likely to result in a high risk to their rights and freedoms.
The content of the notification will be drafted by our CTO, and any notification to the AP must only be made by the CTO.
6 Notifying a Data Breach to Individuals/Tenants
We must also notify the individuals concerned as soon as possible where the breach is likely to result in a high risk to their rights and freedoms.
The content of the notification will be drafted by our CTO in line with our procedures and in conjunction with consulting the AP if considered necessary. We will notify individuals and Tenants in clear and plain language and in a transparent manner (for example by email or SMS). Please be aware that under no circumstances must you try and deal with a data breach yourself.
In some circumstances, we may not need to notify the affected individuals. Our CTO will decide whether this is the case.
7 Updating Notifications
We need to keep the AP up to date about the data breach. If anything changes from the time we send the initial notification to the AP, our CTO will consider whether we need to update the AP about the data breach.
8 Evaluation and Response
The key to preventing further incidents is to ensure that anDREa learns from previous incidents.
It is extremely important to identify the actions that anDREa needs to take to prevent a recurrence of the incident. Our CTO and the Senior Leadership Team will carry out an evaluation as to the effectiveness of our response to the data breach and document this in our
Data Breach Register. Senior management may then make changes to anDREa’s procedures to minimize the likelihood of incidents occurring again.