Notification
Management should determine who needs to be notified of the breach. Every incident will be assessed on a case by case basis; however, the following will need to be considered:
- Whether there are any legal/contractual notification requirements.
- Whether notification would assist the individual affected - could they act on the information to mitigate risks.
- Whether notification would help prevent the unauthorised or unlawful use of personal data.
- Would notification help the Council meet its obligations under the seventh data protection principle.
- If a large number of people are affected, or there are very serious consequences.
- Whether the Information Commissioner's Office (ICO) should be notified. The ICO will only be notified if personal data is involved and this should be within 72 hours of becoming aware of the breach.
Failing to notify a breach when required to do so can result in a fine up to £9 million.
All suspected and actual breaches should be recorded for further evaluation and breach avoidance activity.
Not every incident however, warrants notification and over notification may cause disproportionate enquiries and work.
Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved.
Specific and clear advice will be given on what they can do to protect themselves and include what action has already been taken to mitigate the risks. Individuals will also be provided with information on what has occurred.