seers-logo-1.svg
BOOK A DEMO
START FREE
gb.svg
seers-logo-1.svg
open-menu-icon

Data Breach Management Plan

data breach management plan

Information is a key University asset and as such ensuring the continued confidentiality, integrity and availability is essential to support the operations of the University of Exeter. The University is also required to operate within the law, specifically the expectations set out in the Data Protection Act 1998 (DPA) and the General Data Protection Regulation (GDPR). Data breach management plan is essential.

Data security breaches (Data breach management plan)

Breaches are increasingly common occurrences whether these are caused through human or technical error or via malicious intent. As technology trends change and the volume of data and information created grows, there are more emerging ways by which data can be breached. So, The University needs to have in place a robust and systematic process for responding to any reported potential data security breach, to ensure it can act responsibly, protect individual’s data, University information assets and reputation as far as possible.

However, Data breaches will vary in impact and risk depending on the content and quantity of data involved, the circumstances of the loss and the speed of response to the incident. By managing all perceived data security breaches in a timely manner it may be possible to contain and recover the data before it an actual breach occurs, reducing the risks and impact to both individuals and the University.

Also, Breaches can result in fines for loss of personal information and significant reputational damage, and may require substantial time and resources to rectify the breach. Current fines under the DPA are up to £500,000, in May 2018 the GDPR replaces the DPA with fine limits increasing up to €20 million for a breach. Finally, Breach reporting within 72 hours of identifying a breach is mandatory under the GDPR, with fines of up to €10million for failing to report a breach.

All users need to read, understand, and comply with this Policy.

2 Definition

2.1 What is a data security breach?

Any loss of, or unauthorized access to, University data is regarded as a data security breach. Typically, this involves personal or confidential information, including intellectual property. Inappropriate access restrictions that permit unauthorised usage, human error (such as sending information to the wrong destination), cyber attacks, and “blagging,” which involves obtaining information through deception, are just a few examples of data security breaches.

2.2 What is a data security incident?

A data security incident is where there is the risk of a breach but a loss or unauthorized access has not actually occurred. Additionally, Data breaches include both confirmed and suspected occurrences for the purposes of this policy.

IGSSG25 16‐17 Data Breach Management Policy January 2018; Version 1.0 Page 3 of 4 3 Purpose and Scope

The purposes of this document are:

  • Firstly, to set out user responsibilities
  • Secondly, to standardize the University-wide response. Ensure that they are dealt.
  • Thirdly, the impacts of data breach and its solutions.

This University-wide policy applies to all University information, regardless of format, and is applicable to all staff, students, visitors, contractors and anyone that processes data on behalf of the University.
This policy supports compliance with the General Data Protection Regulation, Cyber Essentials, security  requirements for research grants and best practice guidelines. This University-wide policy applies to all University information, regardless of format, and is applicable to all staff, students, visitors, contractors and anyone that processes data on behalf of the University. Therefore, This policy supports compliance with the General Data Protection Regulation, Cyber Essentials, security requirements for research grants and best practice guidelines.

4 Responsibilities

4.1 Information users
It is the responsibility of every user of information to report any suspected incident or breach.

4.2 Senior Information Owners (SIO) – Colleges and Departments
SIOs are responsible for ensuring that staff in their area act in compliance with this policy and assist with investigations as required. So, Data breach management plan is important.

4.3 Information Asset Owners (IAO)
IAOs are in charge of identifying and effectively managing threats to their information assets. Therefore, It is necessary to examine risks and controls after any security incident or compromise.

4.4 Investigating Officers
Investigating Officers will be responsible for overseeing management of the breach in accordance with the Data Breach Management Plan. Therefore, Suitable delegation may be appropriate in some circumstances.

4.5 Student Information Desk (SID)
All events are reported to SID. SID is in charge of recording the incident.

4.6 Exeter IT
Where the incident / breach involves digital information or technical security, Exeter IT will be responsible for the technical controls to support securing the network and containing or recovering the data.

4.7 Data Protection Officer (Information Governance Manager)
The Data Protection Officer is responsible for providing advice and guidance.

IGSSG25 16‐17 Data Breach Management Policy January 2018; Version 1.0 Page 4 of 4

5 Policy (Data breach management plan)

In the event of any confirmed or suspected data security breach you must:

5.1 Report immediately via the Student Information Desk (SID) as the primary point of contact, either in person at the SID desk or on 0300 555 0444. The report should include full and accurate details of what has happened, including who is reporting the incident.

5.2 Ensure appropriate management of the incident, this includes the following four steps:

5.2.1. Containment and Recovery
5.2.2. Assessment of Risks
5.2.3. Consideration of Further Notification
5.2.4. Evaluation and Response

5.3 Records of the actions taken, when they were taken. Additionally, you should keep copies of any correspondence you have regarding the breach.

5.4 The University Data Protection Officer must be notified of all breaches that involve personal data.

5.5 Staff, students, contractors, consultants, visitors and guests who act in breach of this policy. Or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

5.6 The Information Governance & Security Steering Group. Which is accountable to the Vice-Chancellor’s Executive Group through the Registrar and Secretary will monitor the effectiveness of this policy. Also carry out regular reviews of all reported breaches.
6.1 Associated policies

  • Information Security Policy
  • Data Protection Policy
  • Information Governance Web Pages
  • Breach Reporting Web Page
  • Information Commissioners Guidance
  • Data Protection Act
  • General Data Protection Regulation
seers-logo-1.svg

Office

United Kingdom
24 Holborn Viaduct
London, EC1A 2BN

info@seersco.com

Facebook Linkedin-in Twitter Youtube

About Us

Products

Resources

footer-bg-graphics.svg

The ultimate

guide to GDPR

Avoid the legal reprimands, plan and protect your business now.
Here’s what you need to know in a nutshell.
Know More
icoceplusbadge.svg
chambers.svg
wcag2.1AA-blue-v.png
google-consent-mode.svg
child-privacy-consent.svg
wordpress-rating.svg
joomla-rating.svg
magento-rating.svg
capterra-rating.svg
get-app-rating.svg
software-rating.svg
Trustpillot-rating.svg
google-rating.svg

Seers Group © 2024 All Rights Reserved

Terms of use | Privacy policy | Cookie Policy | Sitemap