top of page

Data Breach Policy

1.   Introduction


1.1   A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.


2.  Scope


2.1   This policy and related procedures apply to all staff members, Trustees, Multi Scheme Administrators (MSAs), Force Area and Borough Association leads and other Watch members that process Watch data.


3.  Assessing the Risk of a Data Breach


3.1  If our organisation experiences a breach of personal data controlled by our organisation, should be immediately reported by the staff member, Trustee, or member initially becoming aware of the breach. They will consider the likelihood and if so, the severity, of any risk to people’s rights and freedoms, following the breach. When this assessment has been made, if it is likely there will be a risk then the ICO must be notified; if this is unlikely, then the breach doesn’t have to be reported. Not every breach needs to be reported to the ICO. Where Association leads are notified about a data breach, their decision whether or not to report it to the ICO and the reasons for that decision should be notified to our organisation or discussed with them within the 72hrs timescale for notifying the ICO (see 4.1 below).


3.2   All decisions about reporting or not reporting data breaches to the ICO must be recorded in the Data Breach Notification Log (See 6.1 below).


4.  Reporting a Data Breach


4.1  If it is decided that the breach needs to be reported to the ICO, our organisation or the Association lead must notify them within 72 hours of becoming aware of the essential facts of the breach.


4.2  The breach will generally be reported by telephone to the ICO helpline on 0303 123 1113. Normal opening hours are Monday to Friday between 9am and 5pm. They will record the breach and give advice about what to do next. Reporting a breach outside of these hours can be done online (See 4.5 and 4.7 below).


4.3  The person making the report will ensure they have the below information or as much of it as is available to hand: -

  • name and contact details of the staff member the ICO should liaise with

  • what has happened

  • when and how the breach was discovered

  • basic information about the type of breach

  • basic information about the personal data concerned

  • the people that have been or may be affected by the breach

  • what our organisation is doing as a result of the breach; and

  • who the ICO should contact if they need more information and

  • who else has been told.


4.4  If possible, full details of the incident should be included, together with the number of individuals affected and its possible effect on them, the measures taken to mitigate those effects, and information about any notification made to those people affected.


4.5  If these details are not yet available, the incomplete report should be submitted to: - and further details provided to the ICO as soon as possible.


4.6  A second notification report must be submitted to the ICO within three days, either including these details, or telling them how long it will take to get them.


4.7  If our organisation experiences a data breach that needs to be reported to the ICO and the CEO is confident it has been dealt with appropriately, it can be reported online. An online report can also be made if the breach is still under investigation and more information will be provided at a later date (within the three day period above). The online form can also be used to report breaches outside normal ICO opening hours.


5. Notifying Users Affected by a Data Breach


5.1  If the breach is likely to adversely affect the personal data or privacy of users, users affected need to be notified of the breach without unnecessary delay. They need to be told: -

  • The name and contact details of our organisation contact;

  • the estimated date of the breach;

  • a summary of the incident;

  • the nature and content of the personal data;

  • the likely effect on the individual;

  • any measures our organisation has taken to address the breach; and

  • how they can mitigate any possible adverse impact.

5.2  Users do not need to be told about a breach if our organisation can demonstrate that the data was encrypted (or made unintelligible by a similar security measure).


5.3  If users are not told, the ICO can require our organisation to do so if they consider the breach is likely to adversely affect them.


6.  Keeping Records


6.1  our organisation must keep a record of all personal data breaches in an inventory or log. Documents can be attached if necessary. The Data Breach Notification Log can be found in the Data Protection Policies and Forms section in the Admin folder on the Shared drive and must contain:

  • the facts surrounding the breach;

  • the effects of the breach; and

  • remedial action taken.

6.2   The Data Breach Notification Log should be submitted to the ICO should a breach need to be reported to them.

bottom of page