Data breach management policy

Contents

Introduction

Scope of policy

Policy statement

Introduction

Harlow District Council is registered with the Information Commissioner as a Data Controller – an organisation that processes personal data. All Data Controllers have a responsibility under the data protection legislation and the UK General Data Protection Regulation (UK GDPR) to comply with the requirements of the integrity and confidentiality principle of the UK GDPR. That is to ensure that the appropriate technical and organisational processes are in place to protect the personal data collected by the council.

The UK GDPR requires that organisations which process personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

No organisation handling personal information can guarantee that it will never experience losses but by ensuring that standards are equivalent to, or exceed, best practice, data subjects will be reassured that all reasonable steps are taken to preserve and protect their information.

There are new mandatory reporting duties on data controllers and processors to notify the Information Commissioners Office (ICO) of data breaches that pose a risk to the rights or freedoms of data subjects, for example risk of identity theft. Notification should be within 72 hours of becoming aware of the breach or potential breach, failure to notify may result in the council in becoming subject to sanctions, including fines and written warnings.

Only in exceptional circumstances can the notification be delayed. Written justification must be provided of any delay and the possible consequences of the delay in reporting.

All data breaches must be reported to the council’s Data Protection Officer who is the named contact for the ICO.

The council has a separate procedure for council staff to follow when a data breach occurs.

Scope of policy

The council is obliged under data protection legislation to have in place a framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility

Council staff will process personal data as part of their job and will adhere to the data protection legislation.

Policy statement

All users of personal data within the council have a responsibility to ensure that they process personal data in accordance with the data protection legislation, UK GDPR and the 6 data protection principles.

The principles are that personal data must be processed with:

  1. Lawfulness, fairness and transparency.
  2. Purpose limitation.
  3. Data minimisation (to only hold the minimum amount of personal data to enable processing).
  4. Accuracy.
  5. Storage limitation (not kept for longer than necessary).
  6. Integrity and confidentiality (that is be securely stored).

The council will follow the data processing principles above and have the appropriate technical and organisational security measures in place to minimise the risk of breaches of personal information.

The council will have the necessary contract provisions in place with data processors, contractors who process personal data on behalf of the council, to ensure compliance with the data protection processing principles, and breach notification duties in the UK GDPR and data protection legislation.

Any employee or member of the public, who has a concern about processing or storage of personal information, is urged to contact the Data Protection Officer.

The Data Protection Officer details are:

Data Protection Officer
The Civic Centre
The Water Gardens Harlow
CM20 1WG
data.protection@harlow.gov.uk

This version of the policy was published in June 2023 and will be reviewed every year.  The next review will be in June 2024.

Category
Document group
Site area
Main site