MTCaptcha Data Breach Notification Policy

Effective date: Oct 28th, 2019

REVISION HISTORY

VersionDate of RevisionDescription of Change
1.028th Oct 2019Initial Version

PURPOSE

MTCaptcha holds and processes personal data on behalf of its staff and clients, a valuable asset that needs to be suitably protected. Every care is taken to protect client and personal data from incidents (either accidental or deliberate) to avoid a security breach that could compromise data. Compromise of information, confidentiality, integrity, or availability may result in harm to individuals, reputational damage, detrimental effect on service provision, legislative noncompliance, and/or financial costs including significant fines from the Information Commissioner's Office (ICO).

The company is obliged under the Data Protection Act to have in place systems designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility. This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents.

The GDPR makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors must notify any breach to their controllers. Controllers and processors are therefore encouraged to put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary.

SCOPE

This Policy relates to all personal and sensitive data controlled or processed by the company regardless of format. This Policy applies to all employees, contractors, consultants, temporary staff, and other workers at MTCaptcha and data processors working for, or on behalf of the company.

TYPES OF PERSONAL DATA BREACHES

Confidentiality Breach
Where there is an unauthorised or accidental disclosure of, or access to, personal data. For Example:

  • personal data accidentally being sent to someone (either internally or externally) who does not have a legitimate need to see it
  • client database being compromised, for example being accessed by another client
  • paper records containing personal data being left unprotected for anyone to see, for example: files left out when the owner is away from their desk and at the end of the day, papers not properly disposed of in confidential shredding bins, papers left at printers
  • staff accessing or disclosing personal data outside the requirements or authorisation of their job
  • being deceived by a third party into improperly releasing the personal data of another person

Availability Breach
Where there is an accidental or unauthorised loss of access to, or destruction of, personal data. For Example:

  • the loss of personal data due to unforeseen circumstances such as a fire or flood
  • loss or theft of laptops, mobile devices, or paper records containing personal data
  • when there has been a permanent loss of, or destruction of, personal data

Integrity Breach
Where there is an unauthorised or accidental alteration of personal data. For Example:

  • The removal or false alteration of individuals' mobile numbers or email addresses

It should also be noted that, depending on the circumstances, a breach can concern confidentiality, availability and integrity of personal data at the same time, as well as any combination of these.

POLICY

On discovery of a data breach the following actions should be taken:

  • Containment and recovery
  • Assessing the risk
  • Notification of breach to the Information Commissioner's Office (ICO)
  • Evaluation and response

CONTAINMENT AND RECOVERY

The individual committing the breach or having identified a possible breach should immediately inform their manager or the Information Security Officer. The immediate priority is to contain the breach and limit its scope and impact.

  • Where personal data has been seen, accessed or been sent to someone who does not have a legitimate need to see it, staff should contact the recipient and.
    - tell the recipient not to pass it on or discuss it with anyone else
    - tell the recipient to destroy or delete the personal data they have received and get them to confirm in writing that they have done so;
    - warn the recipient of any implications if they further disclose the data
  • Where data has been lost, altered or has become unavailable, then access to the data should be resumed as quickly as possible via backup copies of the data if necessary
  • Where the data controller is a MTCaptcha client, the client's Data Protection Officer or person responsible for receiving breach notifications is to be given an initial notification stating what recovery processes are being performed with further information about the breach provided in phases as information becomes available. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours

A Breach Notification incident should be logged on the Internal IT Support system (see the Information Security Incident Logging Policy) stating:

  • Date and time of the breach
  • Date and time breach detected
  • Who committed the breach
  • Details of the breach
  • Number of data subjects involved (an approximation is sufficient)
  • Details of actions already taken in relation to the containment and recovery

ASSESSING THE RISK

The Information Security Officer or Data Protection Officer or a nominated person will conduct an investigation into the breach and prepare a Breach Report.

This report will follow the ICO's guidance on Breach Management and will consider the following:

  • How the breach occurred
  • The type of personal data involved
  • The number of data subjects affected by the breach
  • Who the data subjects are
  • The sensitivity of the data breached
  • What harm to the data subjects can arise? For example, the breach could result in identity theft or fraud, physical harm, psychological distress, humiliation or damage to reputation
  • What could happen if the personal data is used inappropriately or illegally
  • For personal data that has been lost or stolen, are there any protections in place such as encryption
  • The measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
  • Whether the breach should be notified to the ICO – if NOT the reasoning behind this decision including reasons why the breach is unlikely to result in a risk to the rights and freedoms of individuals

BREACH NOTIFICATION

To the Information Commissioner's Office (ICO)

Under Article 33 of the GDPR - In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The Data Protection Officer or information Security Officer or in the absence of either of these people, any member of the Senior Leadership Team, will determine whether the breach is one which is required to be notified to the ICO.

To the Affected Customers

Where the data breach involves any client data the responsibility for reporting the breach is with the client controller(s) ie. The clients' Data Protection Officers or person responsible for breach notifications. The MTCaptcha controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the client specified contact and controllers.

To the Affected Individuals

If a breach is also assessed to be likely to result in a high risk to the rights and freedoms of individuals, the individuals themselves must be informed directly and without undue delay, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.

When informing the individuals the following needs to be supplied in clear and plain language:

  • The nature of the personal data breach
  • The name and contact details of the Data Protection Officer or other contact point where more information can be obtained
  • A description of the likely consequences of the personal data breach
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects

EVALUATION AND RESPONSE

Once the breach has been dealt with the cause of the breach needs to be considered. There may be a need to update policies and procedures, or to conduct additional training.

TRAINING

All MTCaptcha staff will receive training on this policy. New staff will receive training as part of the induction process. Further training will be provided at least every year or whenever there is a substantial change in the law or our policy and procedure.

MONITORING

All MTCaptcha staff must observe this policy.
The DPO has overall responsibility for this policy.
The DPO will review and monitor this policy regularly to make sure it is effective, relevant, and adhered to.
We take compliance with this policy very seriously. Failure to comply puts both you and the organization at risk.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.