Data Breach Policy

This Procedure sets out the processes to be followed by ORBIT staff in the event that ORBIT experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.

Policy

This Procedure is governed by the ORBIT Privacy Policy.

Introduction

ORBIT is committed to managing personal information in accordance with the GDPR 2018  (the Act) and the ORBIT Privacy Policy.

This document sets out the processes to be followed by ORBIT staff in the event that ORBIT experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.

Accordingly, ORBIT needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm and whether it constitutes an NDB.

Adherence to this Procedure and Response Plan will ensure that ORBIT can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.

This document should be read in conjunction with ORBIT’s Privacy Policy.

Process where a Breach occurs or is suspected.

Alert

A privacy or data breach is detected via the ORBIT configuration of Cloudflare, Wordfence and the server Firewall. Where a privacy data breach is known to have occurred (or is suspected) any member of ORBIT staff who becomes aware of this must, within 24 hours, alert a Senior Investigator and Managing Director their contact details are below.

It is also important to note that ORBIT staff members are responsible for the care of their personal devices when accessing the ORBIT website. This includes maintaining an up to date antivirus and malware scanning package. Should you require assistance with doing this, please contact a member of the team below.

Bernd Stahl (Senior Investigator) – b.stahl@dmu.ac.uk

Martin DeHeaver (CEO) – martin.deheaver@orbit-rri.org

The Information that should be provided (if known) at this point includes:

  • When the breach occurred (time and date)
  • Description of the breach (type of personal information involved)
  • Cause of the breach (if known) otherwise how it was discovered
  • Which system(s) if any are affected?
  • Whether corrective action has occurred to remedy or ameliorate the breach (or suspected breach)

Assess and Determine the Potential Impact

Once notified of the information above, the informed parties must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The Privacy Coordinator should be contacted for advice.

Criteria for determining whether a privacy data breach has occurred.

  • Is personal information involved?
  • Is the personal information of a sensitive nature?
  • Has there been unauthorised access to personal information, or unauthorised disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur?

For the purposes of this assessment the following terms are defined in the Privacy Policy: personal information, sensitive information, unauthorised access, unauthorised disclosure and loss.

Criteria for determining severity.

  • The type and extent of personal information involved
  • Whether multiple individuals have been affected
  • Whether the information is protected by any security measures (password protection or encryption)
  • The person or kinds of people who now have access
  • Whether there is (or could there be) a real risk of serious harm to the affected individuals
  • Whether there could be media or stakeholder attention as a result of the breach or suspect breach

With respect to the above, serious harm could include physical, physiological, emotional, economic/financial or harm to reputation.

Having considered the matters in above, the website administrator must notify the ORBIT Team within 24 hours of being alerted.

Website Administration Team to issue pre-emptive instructions.

On receipt of the communication by the relevant member of the team under the above, the Web Admin Team (along with guidance from the hosting company) will take a preliminary view as to whether the breach (or suspected breach) may constitute an NDB. Accordingly, the Web Admin Team will issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Hosting company. This will depend on the nature and severity of the breach.

Data Breach managed at the Organisational Level.

Where the Web Admin Team instructs that the data breach is to be managed at the local level, the relevant member of staff must:

  • Ensure that immediate corrective action is taken, if this has not already occurred (corrective action may include: retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system); and
  • Submit a report to the Managing Director within 48 hours of receiving instructions under 3.3. The report must contain the following:
    • Description of breach or suspected breach
    • Action taken
    • Outcome of action
    • Processes that have been implemented to prevent a repeat of the situation.
    • Recommendation that no further action is necessary

The Web Admin Team will be provided with a copy of the report and will sign-off that no further action is required.

The report will be logged by the Web Developer.

Data breach managed by the Hosting Company.

Where the Web Admin Team instructs that the data breach must be escalated to the Hosting Company, the team will remain in constant contact with the Hosts and will provide a full report to the managing director of ORBIT.

Notification.

If there are reasonable grounds, the Web Developer must prepare a prescribed statement and provide a copy to the Managing Director as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach).

If practicable, ORBIT must also notify each individual to whom the relevant personal information relates. Where impracticable, ORBIT must take reasonable steps to publicise the statement (including publishing on the website).

Secondary Role of the Response Team.

  • Identify lessons learnt and remedial action that can be taken to reduce the likelihood of recurrence – this may involve a review of policies, processes, refresher training.
  • Prepare a summary
  • Consider the option of an audit to ensure necessary outcomes are effected and effective.

Updates to this Procedure.

This procedure is scheduled for review every year or more frequently if appropriate.