This policy applies to all HRB employees, service providers, contractors, Peer Reviewers, interns, agency workers and other persons engaged in activities relating to HRB on a permanent or temporary basis (hereinafter referred to as “Data Users”).
- HRB has put in place a security breach management team ("SB Team"), its members are: Martin Morgan, Sarah Craig, Hamish Sinclair, Carol Cronin and D’Arcy Donnelly. Please contact Martin Morgan in case the primary members of the SB Team are not available when a breach occurs.
- Data Users should contact the DPO if they become aware of a security breach. Typical breaches include situations where an individual’s data is sent to another individual, e.g. two letters in one envelope. Serious cyber attacks are also becoming more common.
- The SB Team has been trained to understand their role in managing the security breach. Dealing with a breach quickly can limit the damage that it causes.
Our SB team will investigate what happened to determine:
- The nature and cause of the breach and
- The extent of the damage or harm that results, or could result, from the breach.
The Data Breach Report template should be filled out by the SB team for all breaches within 48 hours of its occurrence.
The SB team will take action to stop the breach from continuing or recurring and mitigate the harm that may continue to result from the breach. It will consider the following:
- What steps can be taken to stop or minimise further loss?
- What steps can be taken to recover, correct or delete data?
- Does evidence need to be preserved for a potential criminal investigation?
- If the Data Protection Commissioner ("DPC") is notified or becomes involved in a data security breach, she will want to know what has been done to stop or mitigate the breach and what HRB will do to ensure future compliance with the security principal in the Data Protection Act 1988 and2003, as amended (the "DPA"), and the EU General Data Protection Regulation (the "GDPR"). The DPC has powers to obtain information and take enforcement action if necessary.
- It is important that all steps we take as an organisation when dealing with a security breach are documented so that an accurate record of events can be maintained.
The SB team will check criminal insurance and professional indemnity insurance policies or any other relevant policy and consider whether notification is required.
Record-keeping and assessment is the next important step. The SB team may ask you to fill out the detailed data breach assessment form. It is important that this is completed accurately and speedily.
The SB team will need to consider who (if anyone) should be notified of the breach. These could include:
Data subjects: Data subjects may need to be notified that their data has been compromised and given details of the breach, what steps HRB has taken to mitigate the breach and any potential repercussions of the breach for the data subject.
The DPC: The DPA requires notification to the DPC in the event of a data security breach unless certain exemptions apply. In general, a data breach will require notification to the DPC if the data includes:
- the possibility of harm to the data subjects
- a large volume of personal data
- sensitive data (e.g. financial or health information)
Other Data controllers: If there are other data controllers of the personal data in question, we may want to notify them (although this is not a legal obligation under the DPA) We may need to notify other data controllers under the terms of the contract with that data controller or under the requirements of the GDPR.
The Gardaí: if the data breach involved a potentially criminal act, then the Gardaí or other law enforcement agency may need to be notified.
Regulators: some professional regulators may need to be informed of data breaches within their remit.
The SB team will take appropriate legal advice and PR advice as soon as possible and generally in advance of making notification. Common sense should be applied in permitting delay where the breach requires immediate notification to those affected for the health or personal safety of the data subjects.
The SB team will consider whether the data breach has been caused by another data controller (for example, where personal data has been made available to another data controller for the purposes of joined up or shared services) or whether it has been caused by a data processor. If so, it will consider whether there are contract terms in place which have provided HRB with an indemnity.
Where the data security breach has been caused by a third party, the SB team will consider HRB’s contract with the third party, and in particular:
- Are the data protection and data security obligations in the contract appropriate for the purposes of compliance with the security principle in the DPA?
- Does HRB have a claim or any liability for breach of a specific data protection or security obligation in the DPA?
- In the absence of any specific data security provisions consider whether there may be a claim or any liability for breach of confidence or a failure to take reasonable skill and care.
- Does the breach give rise to a right to claim damages? If so, is the value of the claim limited by the contractual limit of liability? Many contracts carve out claims for loss of data and damage to reputation from the limitation and exclusions of liability provisions.
- How will the claim for damages be quantified? Do liquidated damages or service credits apply? Are the costs incurred as a result of the breach recoverable? Is HRB able to pass on any liability it may have following the sanctions taken by DPC to the data processor?
- Does the breach give rise to a right to terminate the contract? In many contracts, the breach of data security clauses will give rise to an express right to terminate.
- In the absence of an express right to terminate, consider whether the breach is sufficiently serious to give rise to the right to terminate the contract at common law for repudiatory breach. Whether such a right can be exercised will depend upon how serious the security breach is and its impact upon the parties’ ability to continue to perform their contractual obligations.
- Does the data security breach trigger any other aspects of the contract, such as audit rights or the implementation of business continuity and disaster recovery plans?
- Are there are any specific contractual administration matters that need to be observed to preserve rights, such as compliance with notice provisions or prescribed alternative dispute resolution procedures?
HRB will need to review the actions of employees who cause data security breaches and decide whether disciplinary action is appropriate. This will involve consideration of:
- HRB’s disciplinary policies and other relevant policies, such as data protection policies, IT and internet use policy and security policies to determine the extent to which the employee has breached their express contractual provisions.
- Whether the employee had received adequate training and guidance on data protection and security responsibilities and ought reasonably to have been aware of HRB’s expectations and the consequences of breaching them.
- Whether there has been any breach of statute that could justify immediate suspension or summary dismissal. Where disciplinary action is appropriate, this must be conducted in accordance with the statutory dismissal and disciplinary procedures and HRB’s own disciplinary procedure.
Following a breach, an investigation will take place and include a review of whether appropriate security policies and procedures were in place and if so, whether they were followed.
Where one or more data processors may have caused the breach, the SB team will consider whether adequate contractual obligations were in place to comply with the security principle and if so, whether the data processor(s) is in breach of contract.
Where security is found not to be appropriate for the purpose of the security principle, the SB team will consider what action needs to be taken to raise data protection and security compliance standards to those required by the security principle. If the DPC is notified or becomes involved in a data security breach, she is likely to request this information.
The above process will be documented by the SB team and employees who it requests to do so, in the template Data Breach Assessment Form.This information will be kept on HRB’s Data Protection.