skip to main content
NICVA Northern Ireland Council for Voluntary Action logo
Basket
Your Account
Your Wishlist
Venue Hire
Join NICVA
About
About NICVA
Who We Are
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
More About Us
Meet our Team
Our Governance
Our Strategic Plan
Annual Reports
Our Values
Contact NICVA
Our History
Member Directory
Access Expert Support
NICVA News
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Training & Events
Training & Events
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
Training
Events
Accredited Training
Bespoke Training
Our Programmes
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Help & Guidance
Help & Guidance
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
Resource Bank
Setting Up Your Charity
HR
Running Your Charity
Research
Fundraising
Data Compliance
Charity Governance
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Policy & Insight
Policy & Insight
Our Policy & Insight team use evidence-based research to inform the co-design of policy for our sector.
Learn more
Policy
Research
Representation
State of the Sector
Campaigns
We lobby and campaign to advance the interests of the people and communities that our members support.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Services
NICVA Services
GrantTracker
Find & track funding.
MediaConnect
Find a journalist or industry expert.
SectorMatters
Find quality business services.
CommunityNI
Find community offered services.
Hire a Venue
Access Expert Support
Document Review & Drafting
Jobs
Board Vacancies
Volunteering Opportunities
Advertise a Job With Us
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
News
News
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
List your news
News & Opinion
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Press Releases
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
About
Who We Are
Meet our Team
Our Governance
Our Strategic Plan
Annual Reports
Our Values
Contact NICVA
Our History
Member Directory
Access Expert Support
NICVA News
Training & Events
Training
Events
Accredited Training
Bespoke Training
Our Programmes
Help & Guidance
Resource Bank
Setting Up Your Charity
HR
Running Your Charity
Research
Fundraising
Data Compliance
Charity Governance
Policy & Insight
Policy
Research
Representation
State of the Sector
Campaigns
Services
GrantTracker
MediaConnect
SectorMatters
CommunityNI
Hire a Venue
Access Expert Support
Document Review & Drafting
Board Vacancies
Volunteering Opportunities
Advertise a Job With Us
News
News & Opinion
Press Releases
Venue Hire
Join NICVA
Home
/
Help & Guidance
/
Resources

Data Protection Toolkit - Personal Data Breaches: are you prepared?

15 Jun 2018
Back to resources
Whatever security measures you might have in place, you can never be 100% safe from a breach. A breach could lead to an investigation from the regulator, resulting in potential enforcement action against your organisation. Being prepared is essential.

You need to know how to recognise, report and respond to a breach. While it's possible to do all of this in the event of one occuring, it'll be much more difficult to take the right steps when you consider the relatively short deadline to inform the regulator if you haven't prepared your procedure in advance.

It is mandatory to report certain breaches to the regulator - the Information Commissioner's Office - within 72 hours.

You also need to keep records of breaches and take action to reduce the risk of them happening again.

The GDPR also requires you to have appropriate security measures in place. Demonstrating that you've done this will not only help to avoid breaches, but will show that you've not been negligent in your approach.

If you need to report a breach after reading this guidance, visit the ICO's reporting page. Please don't email the details to NICVA! (though you can of course ask for more advice)

Contents

  • Recognising a breach
  • Reporting a breach
  • Informing individuals
  • Keeping records
  • Reporting a serious incident to the Charity Commission
  • Reporting fraud or a significant cyber indicent
  • More information
Back to top

Recognising a breach

You will need to be able to recognise that a breach has happened before you decide what to do next.

A breach of personal data as defined by the GDPR means:

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. (Article 4 GDPR)

Examples of a breach might include:

  • loss or theft of hard copy notes, USB drives, computers or mobile devices
  • an unauthorised person gaining access to your laptop, email account or computer network
  • sending an email with personal data to the wrong person
  • a bulk email using 'to' or 'cc', but where 'bcc' (blind carbon-copy) should have been used
  • a disgruntled employee copying a list of contacts for their personal use
  • a break-in at the office where personnel files are kept in unlocked storage

Protecting yourself from cyber incidents The National Cyber Security Centre (NCSC) provides lots of useful and practical information on protection your organisation from cyber threats. Some useful resources include:

  • Weekly Threat Reports
  • Board Toolkit
  • Information for small and medium sized organisations
  • Small Charity Guide
  • Cyber Essentials certification

Some of these incidents may happen through human error and honest mistakes. They could also occur through carelessness and a lack of procedure or guidance. It is therefore crucial that your organisation has a suitable data protection policy in place, and that all of your staff, including any volunteers, are aware of their responsibilities.

Even when a crime has been committed against you it is your responsibility to follow the necessary procedures, as the breach involves personal data under your control.

All staff must know how to recognise a breach and that they have a duty to make the organisation aware. Let them know that they should report a suspected breach to an identified member of staff (possibly a Data Protection Officer) who handles the rest of the procedure.

Often, this might be difficult for a member of staff to admit if they feel that they're at fault. It would be much worse if a breach is not reported for fear of sanction. It's important that you foster a culture of openness in your organisation to help meet your responsibility under the law.

Where a breach occurs, the organisation should first establish:

  • the facts of what happened
  • what personal data was involved
  • the number of people likely to be affected
  • the likelihood and severity of impact on the people affected
Back to top

Reporting a breach

After a breach has been escalated within your organisation, you must decide if you need to report it to the Information Commissioner's Office. If you fail to notify a reportable breach it can result in a significant fine.

When should a breach be reported?

Not all breaches need to be reported to the ICO, but if the breach is likely to involve a 'risk to people's rights and freedoms', it must be (Article 33).

Such a risk would be one where the people involved could suffer adverse effects as a result of the breach. This depends on what was in the data and how it might be used to damage them, as well as the scale of the breach. The inappropriate disclosure of sensitive or confidential information could be a reportable if it would have a negative impact on someone's sense of privacy. Identify theft, fraud, financial loss and damage to reputation are other risks to rights and freedoms that could result.

You should therefore establish the facts and assess the likelihood and severity of risks in deciding whether to report. The Article 29 Working Party Guidelines contain some scenarios of what is and what isn't reportable. For example, if the data were appropriately encrypted it would not be necessary to report as there is no risk involved (so long as the key or password weren't compromised).

For more on encryption, see NICVA's guide on GDPR and Encryption.

The context, scale and level of sensitivity are more important than the nature of the breach. The same type of breach could be reportable or not, depending on the likely effect on individuals. For example, accidentally sending a bulk email to invite a small number of people to a community event using the 'to' and not the 'bcc' field is unlikely to be a reportable breach. But sending a similar email to a group of people who are receiving mental health counselling from you would be, as the context identifies health information about those people.

If you are satisfied that there is no risk to anyone's rights or freedoms, then the breach does not need reported. In coming to this conclusion, you should make clear the reasons for this decision.

How is a breach reported?

A breach must be reported to the ICO without undue delay and within 72 hours from when you became aware that a breach had occurred, where feasible.

This 3-day limit applies whether the incident happens over weekends or holidays. So expect it to happen at 5 o'clock on a Friday afternoon!

You need to report to the ICO by phone and give details of the incident. Even if you haven't established all of the facts you should still report within 72 hours. Don't delay, as you will have the opportunity to provide follow up information. The helpline staff can assist with what to do next, whether you need to inform the individuals, and how to take measures to prevent reoccurrence.

As the report helpline is only available from 9am to 4.30pm Monday to Friday, you should report through their online facility if you need to do so at other times.

What happens next?

The ICO decides what happens next. Breaches are not routinely made public by the ICO. In some cases they will simply record the incident. In other cases they can investigate the circumstances that led to the breach. The outcome can range from no further action through to a monetary penalty in the rarer case of a serious breach involving negligent or deliberate action.

Once you have identified or reported a data breach, you should let your board or trustees know the details, as they may need to report a serious incident to the Charity Commission (see below).

Back to top

Informing individuals

There is also a requirement in the GDPR to inform individuals affected as soon as possible (Article 34). This will allow them to take precaution and protect themselves against any negative effects, such as identify fraud.

The requirement to inform individuals is slightly higher than the need to report to the ICO. Compared to a "likely risk to individuals' rights and freedoms", you need to inform people if there is a "high risk". This difference can be hard to judge. It's best to take the view that if you need to report to the ICO you probably need to also tell the individuals. The ICO can tell you if you need to inform individuals, or require you to do so.

You need to clearly communicate to the people involved:

  • what happened
  • what personal information was involved
  • what risks are likely or possible
  • measures you're taken or proposing to address the breach
  • your contact details where they can get more information
Back to top

Keeping records

Whether you need to report a breach to the ICO or not, you should keep a clear record of every breach incident.

The GDPR requires controllers to:

document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken

The GDPR also requires organisations to be accountable and transparent. Under the security of processing, controllers and processors must put in place appropriate measures "to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services" (Article 32).

Keeping a clear record of breaches will help you to meet accountability requirements and is an appropriate measure to ensure the security of processing.

These records also allow the ICO to verify that compliance with the reporting of relevant breaches is happening.

You will also need to act on any breach to reduce the risk of reoccurrence. Identifying patterns or gaps in your practice is important, and keeping records shows that you're taking responsibility for what happened.

You can choose how you keep this record. It could be a long-form written document, or on a spreadsheet. It is advisable to record:

  • the date that the breach happened
  • when it was identified and by whom
  • if and when the ICO were notified (include a case number if given one)
  • the nature and circumstances of the breach
  • what types of personal information was involved
  • how many people were affected
  • likely effects of the breach, especially if there is evidence of effects
  • if a breach was not reported to the ICO, the reasons for this decision
  • remedial action taken to remedy the breach and prevent reoccurance
  • any other information you think relevant
Back to top

Reporting a serious incident to the Charity Commission

Under charity law, trustees are required to report any serious incident to the Charity Commission for Northern Ireland (or other charity regulators where relevant) and explain how it is being managed.

A serious incident is an adverse event (either actual or alledged) which risks or results in a significant loss of charity money or assets, damage to charity property, or harm to the work of the charity its beneficiaries or reputation.

In the case of a data breach that has involved criminality such as fraud, hacking, or the theft or loss of data or equipment, it is almost certain that a serious incident also exists. 

The Charity Commission's guidance on serious incident reports highlights examples of data breaches or loss that would be reportable to them as a serious incident:

Examples of incidents to report to the Charity CommissionExamples of incidents which do not need to be reported to the Charity CommissionCharity's data has been accessed by an unknown person; this data was accessed and deleted, including the charity's email account, donor names and addressesA single laptop or mobile phone belonging to the charity is reported missing and it does not contain confidential data – it has been reported to the PSNI.A charity’s laptop, containing the personal details of beneficiaries or staff, has been stolen.  Charity funds lost due to an online or telephone ‘phishing scam’, where trustees were conned into giving out bank account details. A Data Protection Act breach, reported to the ICO.  

If a data breach has been reported to the ICO, then it should also be reported to the Charity Commission. In cases where the breach has not been reported to the ICO, a serious incident may still need to be reported to the Charity Commission.

Responsibility for making the decision on whether a serious incident report needs to be made—and following the required procedure—will fall to the charity's trustees.

If you as a member of staff have identified a data breach, you should inform your trustees about it so they can make an informed decision on reporting it to the Charity Commission.

Back to top

Reporting fraud or a significant cyber indicent

If you have fallen victim to a cyberscam or fraud these should be reported to Action Fraud, who monitor a wide range of these types of attempts (whether or not it actually involves and personal data).

If a live cyber attack is in progress then call their 24/7 hotline immediately on 0300 123 2040.

If money has been lost, a vulnerable person is at risk, or you can identify the suspect, the incident should also reported to the PSNI on 101 (999 if an emergency).

A significant cyber incident is one in which you have been the victim of a cyberattack such as hacking, ransomware, 

Back to top

More information

More detail on personal data breaches is available from the ICO's Guide to the GDPR.

The PSNI ScamwiseNI Partnership works to raise awareness of scams and fraud that is taking place locally. The Little Book of Big Scams contains examples of the most common scams to be aware of.

If you need to report a breach, visit the ICO's reporting page (please do not email NICVA!)

Further reading ICO, Personal data breach reporting ICO, Guide to the GDPR: Security ICO, Guide to the GDPR: Accountability and Governance ICO, Practical guide to IT security National Cyber Security Centre NICVA, GDPR and Encryption ICO, Guide to Data Protection: Encryption Article 29 Working Party Guidelines on Personal Data Breaches

Back to top

Downloads

  • Ninja 1507457 1280

Hubs

  • gdpr

Share

LinkedIn Facebook X Email

More resources

All resources
Developing a fundraising strategy
19 Apr 2016
Whistleblowing Policy
25 Sept 2020
Individual Giving in Northern Ireland 2014
04 Sept 2014

Footer

NICVA Northern Ireland Council for Voluntary Action logo
Facebook
twitter
linkedIn
YouTube
Subscribe to our bulletins
Contact Us
Office
61 Duncairn Gardens,
Belfast, BT15 2GB
Phone
028 9087 7777
Training & Events
Training
Events
Programmes
Bespoke Training
Accredited Training
Services
GrantTracker
CommunityNI
SectorMatters
Venue Hire
MediaConnect
Document Review & Drafting
Join NICVA
About Us
Policy & Insight
Help & Guidance
News
Jobs
Privacy Policy Cookie Policy Accessibility Statement
NICVA Northern Ireland Council for Voluntary Action
Company Number: NI001792
Registered Charity Number: NIC100012
site by Green17