Noah’s Ark Children’s Hospital Charity NA Policy #: NA1801 Effective Date: May 25 2018 Revised:
Privacy and the Management of Personal Data
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Introduction
The charity agrees with the Information Commission (ICO) that getting this right should be seen as essential to good customer service: it will put people at the centre of the relationship, and can help build confidence and trust. This can enhance the charity’s reputation, improve levels of engagement and encourage ongoing support to the charity.
Article 5(1)(f) of the GDPR says that personal data shall be:
The Noah’s Ark Children’s Hospital Charity (the charity) is a well-known and trusted organisation in Wales. Since its inception many individuals have shown support to the charity; this information is held on the charity’s database and used for auditing as well as fundraising and communication. The charity from May 2018 will make every effort to base the processing of personal data on GDPR-compliant consent to give individuals genuine choice and ongoing control over the use their data, and ensuring the organisation is transparent and accountable.
a) processed lawfully, fairly and in a transparent manner in relation to individuals; b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; |
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and |
Page 1 of 22
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” |
Article 5(2) requires that: |
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” |
Scope and definitions
The obligations as detailed in this document apply to ‘the charity’. This means employees, trustees, volunteers and people connected officially with the charity. It also extends in part to data processors employed by the charity who are entrusted with supporter information.
The GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller e.g. a mailing house.
The charity is a controller, and as such is not relieved of obligations where a processor is involved – the GDPR places further obligations on the charity to ensure its contracts with processors comply with the GDPR. Personal data The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person |
who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. |
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. The GDPR therefor applies to data wherever and however it is stored – electronically, in filing systems, HR records, on portable technology e.g. pen drives etc.
Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Page 2 of 22
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data”
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
Data subjects applies to any living, identifiable individual about whom personal data is processed such as:
- Employees, contractors, consultants
- Volunteers, trustees
- Suppliers, customers
- Individuals on contact lists e.g. fundraising databases.
Lawful basis for processing
The requirement to have a lawful basis in order to process personal data is not new. It replaces and mirrors the previous requirement to satisfy one of the ‘conditions for processing’ under the Data Protection Act 1998 (the 1998 Act). However, the GDPR places more emphasis on being accountable for and transparent about its lawful basis for processing. The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences. The charity is undergoing a programme of review of its existing processing, identifying the most appropriate lawful basis, and checking that it applies. In many cases it is likely to be the same as the existing condition for processing. Within the review programme, the charity may choose a new lawful basis if it is found that the old condition for processing. However, the charity is mindful that it will be in breach of the |
GDPR if the appropriate lawful basis (or bases, if more than one applies) was not identified from the start. The GDPR brings in new accountability and transparency requirements and the charity should therefore make sure the charity clearly documents its lawful basis so that the charity can demonstrate its compliance in line with Articles 5(2) and 24. The charity has taken action to inform people upfront about its lawful basis for processing their personal data. It will ensure that it is included all future privacy notices. |
Page 3 of 22
What are the lawful bases for processing? data for a specific purpose. (b) Contract: the processing is necessary for a contract the charity has with the individual, or because they have asked the charity to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for the charity to comply with the law (not |
including contractual obligations). (e) Public task: the processing is necessary for the charity to perform a task in the public interest or for its official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for the charity’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. |
Direct marketing
An individual always has the right to object to processing for the purposes of direct marketing,
whatever lawful basis applies. The charity must include clear unsubscribe options in all of its
communications.
When lawful basis may not be the correct base for processing If the charity is processing for purposes other than legal obligation, contract, vital interests or public task, then the appropriate lawful basis may not be so clear cut. In many cases the charity is likely to have a choice between using legitimate interests or consent. The charity needs to |
give some thought to the wider context, including: |
Who does the processing benefit?
Would individuals expect this processing to take place?
What is its relationship with the individual?
Is the charity in a position of power over them?
What is the impact of the processing on the individual?
Are they vulnerable?
Are some of the individuals concerned likely to object?
Is the charity able to stop the processing at any time on request?
The charity may prefer to consider legitimate interests as its lawful basis if the charity wish to keep control over the processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unwarranted impact on them. On the
Page 4 of 22
other hand, if the charity prefer to give individuals full control over and responsibility for their data (including the ability to change their mind as to whether it can continue to be processed), the charity may choose relying on individuals’ consent.
Consent
Asking for consent – ICO Checklist
- The charity has checked that consent is the most appropriate lawful basis for processing.
- The charity has made the request for consent prominent and separate from our terms
and conditions.
- The charity asks people to positively opt in.
- The charity does not use pre-ticked boxes or any other type of default consent.
- The charity uses clear, plain language that is easy to understand.
- The charity specifies why it wants the data and what it is going to do with it.
- The charity gives separate distinct (‘granular’) options to consent separately to different
purposes and types of processing.
- The charity tells individuals they can withdraw their consent.
Recording consent
The charity keeps a record of when and how it obtained consent from the individual. The charity keeps a record of exactly what it was told at the time.
Managing consent
- The charity will regularly review consents to check that the relationship, the processing and the purposes have not changed.
- The charity will have processes in place to refresh consent at appropriate intervals, including any parental consents.
- The charity considers using privacy dashboards or other preference-management tools as a matter of good practice.
- The charity makes it easy for individuals to withdraw their consent at any time, and publicise how to do so.
- The charity acts on withdrawals of consent as soon as it can.
- The charity has not and will not penalise individuals who wish to withdraw consent.
Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance its reputation.
Page 5 of 22
Contracts with data processors
Whenever the charity uses a processor a written contract will be in place to ensure that both parties understand their responsibilities and liabilities. The charity is liable for its compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. In the future, using a processor which adheres to an approved code of conduct or certification scheme may help controllers to satisfy this requirement – |
though, no such schemes are currently available. Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply. Contracts between the charity and the processor must contain the following details: |
The subject matter and duration of the processing;
The nature and purpose of the processing;
The type of personal data and categories of data subject; and The obligations and rights of the charity as the controller.
Contracts between the charity and the processor must contain the following terms:
- The processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
- The processor must ensure that people processing the data are subject to a duty of confidence;
- The processor must take appropriate measures to ensure the security of processing;
- The processor must only engage a sub-processor with the prior consent of the data
controller and a written contract;
- The processor must assist the data controller in providing subject access and allowing
data subjects to exercise their rights under the GDPR;
- The processor must assist the data controller in meeting its GDPR obligations in relation
to the security of processing, the notification of personal data breaches and data
protection impact assessments;
- The processor must delete or return all personal data to the controller as requested at
the end of the contract; and
- The processor must submit to audits and inspections, provide the controller with
whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
Page 6 of 22
Documentation
The charity will maintain records on several things such as processing purposes, data sharing and retention as required under the GDPR. The charity may be required to make the records available to the ICO on request. Documentation can help the charity comply with other aspects of the GDPR and improve its data governance. |
Controllers and processors both have documentation obligations. Records must be kept in writing; most organisations will benefit from maintaining their records electronically. For small and medium-sized organisations, documentation requirements are limited to certain types of processing activities. As the charity has fewer than 250 employees, the charity only needs to document processing activities that: |
are not occasional; or
could result in a risk to the rights and freedoms of individuals; or
involve the processing of special categories of data or criminal conviction and offence
data
What does the charity need to document under Article 30 of the GDPR?
The charity must document the following information:
- The name and contact details of its organisation (and where applicable, of other controllers, its representative and its data protection officer).
- The purposes of its processing.
- A description of the categories of individuals and categories of personal data.
- The categories of recipients of personal data.
- Details of its transfers to third countries including documenting the transfer mechanism
safeguards in place.
- Retention schedules.
- A description of its technical and organisational security measures.
Page 7 of 22
Should the charity document anything else?
As part of its record of processing activities, it can be useful to document (or link to documentation of) other aspects of its compliance with the GDPR and the UK’s Data Protection Bill. Such documentation may include:
- information required for privacy notices, such as:
- the lawful basis for the processing
- the legitimate interests for the processing
- individuals’ rights
- the existence of automated decision-making, including profiling
- the source of the personal data;
- records of consent;
- controller-processor contracts;
- the location of personal data;
- Data Protection Impact Assessment reports;
- records of personal data breaches;
- information required for processing special category data or criminal conviction and
offence data under the Data Protection Bill, covering:
- the condition for processing in the Data Protection Bill
- the lawful basis for the processing in the GDPR
- its retention and erasure policy document.
Page 8 of 22
Data Protection by design and default
Data protection by design is ultimately an approach that ensures the charity considers privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle.
As expressed by the GDPR, it requires the charity to:
put in place appropriate technical and organisational measures designed to implement the data protection principles; and |
integrate safeguards into its processing so that the charity meets the GDPR’s requirements and protect the individual rights. |
In essence this means the charity has to integrate or ‘bake in’ data protection into its processing activities and business practices.
Data protection by design has broad application. Examples include:
- developing new IT systems, services, products and processes that involve processing personal data;
- developing organisational policies, processes, business practices and/or strategies that have privacy implications;
- physical design;
- embarking on data sharing initiatives; or
- using personal data for new purposes.
The underlying concepts of data protection by design are not new. Under the name ‘privacy by design’ they have existed for many years. Data protection by design essentially inserts the privacy by design approach into data protection law. |
Under the 1998 Act, the ICO supported this approach as it helped organisations to comply with its data protection obligations. It is now a legal requirement. Data protection by default requires the charity to ensure that the charity only process the data that is necessary to achieve its specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation. The charity has to process some personal data to achieve its purpose(s). Data protection by default means the charity need to specify this data before the processing starts, appropriately inform individuals and only process the data the charity needs for its purpose. It |
Page 9 of 22
Nevertheless, the charity must consider things like:
- adopting a ‘privacy-first’ approach with any default settings of systems and applications;
- ensuring the charity does not provide an illusory choice to individuals relating to the
data the charity will process;
- not processing additional data unless the individual decides the charity can;
- ensuring that personal data is not automatically made publicly available to others unless
the individual decides to make it so; and
- providing individuals with sufficient controls and options to exercise their rights
Page 10 of 22
Security breach of personal data
Article 5(1)(f) of the GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be: |
‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’ |
This is referred to as the GDPR’s ‘security principle’. It concerns the broad concept |
of information security. The charity endeavours to put into place appropriate security to prevent personal data held being accidentally or deliberately compromised. This covers information security, sometimes considered as cybersecurity (the protection of its networks and information systems from attack), and also covers other things like physical and organisational security measures. All those within the scope of the policy must comply with the charity’s rules regarding the protection of personal data. |
The charity continues to undertake an analysis of the risks presented by its processing, and use this to assess the appropriate level of security the charity needs to put in place. Below is the IOC checklist:
- When deciding what measures to implement, the charity takes account of the costs of implementation.
- The charity has an information security policy (or equivalent) and will take steps to make sure the policy is implemented.
- The charity will make sure that it regularly reviews our information security policies and measures and, where necessary, improve them.
- The charity has put in place basic technical controls such as those specified by established frameworks like Cyber Essentials.
- The charity understands that it may also need to put other technical measures in place depending on its circumstances and the type of personal data it processes.
- The charity will use encryption and/or pseudonymisation where it is appropriate to do so.
- The charity understands the requirements of confidentiality, integrity and availability for the personal data it processes.
- The charity makes sure that it can restore access to personal data in the event of any incidents, such as by establishing the appropriate backup process.
- The charity will conduct regular testing and reviews of its measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.
- Where appropriate, the charity implements measures that adhere to an approved code of conduct or certification mechanism.
Page 11 of 22
The charity will ensure that any data processor it uses also implements appropriate technical and organisational measures.
The security principle goes beyond the ways the charity store or transmit information. Every aspect of its processing of personal data is covered, not just cybersecurity. This means the security measures the charity put in place seek to ensure that:
the data can be accessed, altered, disclosed or deleted only by those the charity has authorised to do so (and that those people only act within the scope of the authority the charity gives them);
- the data the charity holds is accurate and complete in relation to why the charity is processing it; and
- the data remains accessible and usable, i.e., if personal data is accidentally lost, altered or destroyed, the charity should be able to recover it and therefore prevent any damage or distress to the individuals concerned.
So, before deciding what measures are appropriate, the charity needs to assess its information risk. The charity should review the personal data the charity hold and the way the charity uses it in order to assess how valuable, sensitive or confidential it is – as the charity as the damage or distress that may be caused if the data was compromised. The charity should also take account of factors such as:
- the nature and extent of its premises and computer systems;
- the number of staff the charity has and the extent of their access to personal data; and
- any personal data held or used by a data processor acting on its behalf
- co-ordination between the charity and key people in its organisation (e.g. the security manager will need to know about commissioning and disposing of any IT equipment);
- access to premises or equipment given to anyone outside its organisation (eg for computer maintenance) and the additional security considerations this will generate;
- business continuity arrangements that identify how the charity will protect and recover any personal data the charity holds; and
- periodic checks to ensure that its security measures remain appropriate and up to date.
Whether or not the charity has such a policy, the charity still needs to consider security and other related matters such as:
Page 12 of 22
What technical measures does the charity need to consider?
Technical measures are sometimes thought of as the protection of personal data held in computers and networks. Whilst these are of obvious importance, many security incidents can be due to the theft or loss of equipment, the abandonment of old computers or hard-copy records being lost, stolen or incorrectly disposed of. Technical measures therefore include both physical and computer or IT security.
When considering physical security, the charity should look at factors such as:
- the quality of doors and locks, and the protection of its premises by such means as alarms, security lighting or CCTV;
- how the charity controls access to its premises, and how visitors are supervised;
- how the charity disposes of any paper and electronic waste; and
- how the charity keeps IT equipment, particularly mobile devices, secure.
- system security – the security of its network and information systems, including those which process personal data;
- data security – the security of the data the charity holds within its systems, e.g. ensuring appropriate access controls are in place and that data is held securely;
- online security – e.g. the security of its charity website and any other online service or application that the charity use; and
- device security – including policies on Bring-its-own-Device (BYOD) if the charity offer it. ICO guidance
Under the 1998 Act, the ICO published a number of more detailed guidance pieces on different aspects of IT security. The charity will be updating each of these to reflect the GDPR’s requirements in due course.
- IT security top tips – for further general information on IT security;
- IT asset disposal for organisations (pdf) – guidance to help organisations securely
dispose of old computers and other IT equipment;
- A practical guide to IT security – ideal for the small business (pdf);
- Protecting personal data in online services – learning from the mistakes of others (pdf) –
detailed technical guidance on common technical errors the ICO has seen in its casework
In the IT context, technical measures may sometimes be referred to as ‘cybersecurity’. This is a complex technical area that is constantly evolving, with new threats and vulnerabilities always emerging. It may therefore be sensible to assume that its systems are vulnerable and take steps to protect them.
When considering cybersecurity, the charity should look at factors such as:
Page 13 of 22
Bring its own device (BYOD) (pdf) – guidance for organisations who want to allow staff to use personal devices to process personal data;
Cloud computing (pdf) – guidance covering how security requirements apply to personal data processed in the cloud; and
Encryption – advice on the use of encryption to protect personal data.
Payment Card Data
If the charity is processing payment card data, the charity is obliged to comply with
the Payment Card Industry Data Security Standard. The PCI-DSS outlines a number of specific technical and organisational measures that the payment card industry considers applicable whenever such data is being processed.
Although compliance with the PCI-DSS is not necessarily equivalent to compliance with the GDPR’s security principle, if the charity processes card data and suffers a personal data breach, the ICO will consider the extent to which the charity has put in place measures that PCI-DSS requires particularly if the breach related to a lack of a particular control or process mandated by the standard.
Testing, reviewing and evaluating
Who can process at the charity?
Yes, the GDPR specifically requires the charity to have a process for regularly testing, assessing
and evaluating the effectiveness of any measures the charity put in place. What these tests look
like, and how regularly the charity do them, will depend on its own circumstances. However it’s
important to note that the requirement in the GDPR concerns its measures in their entirety,
therefore whatever ‘scope’ the charity chooses for this testing should be appropriate to what
the charity is doing, how the charity is doing it, and the data that the charity is processing.
The GDPR requires the charity to ensure that anyone acting under its authority with access to personal data does not process that data unless the charity has instructed them to do so. It is therefore vital that its staff understand the importance of protecting personal data, are familiar with its security policy and put its procedures into practice.
Page 14 of 22
GDPR Training
The charity should provide appropriate initial and refresher training, including:
- its responsibilities as a data controller under the GDPR;
- staff responsibilities for protecting personal data – including the possibility that they
may commit criminal offences if they deliberately try to access or disclose these data
without authority;
- the proper procedures to identify callers;
- the dangers of people trying to obtain personal data by deception (e.g. by pretending to
be the individual whom the data concerns, or enabling staff to recognise ‘phishing’
attacks), or by persuading its staff to alter information when they should not do so; and
- any restrictions the charity places on the personal use of its systems by staff (e.g. to
avoid virus infection or spam).
Page 15 of 22
In the event of a security breach The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. The charity must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the charity must also inform those individuals without undue delay. The charity should ensure it has robust breach detection, investigation and internal reporting |
procedures in place. This will facilitate decision-making about whether or not the charity needs to notify the relevant supervisory authority and the affected individuals. The charity must also keep a record of any personal data breaches, regardless of whether the charity is required to notify. |
What is a personal data breach?
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
Personal data breaches can include:
access by an unauthorised third party;
deliberate or accidental action (or inaction) by a controller or processor; sending personal data to an incorrect recipient;
computing devices containing personal data being lost or stolen;
alteration of personal data without permission; and
loss of availability of personal data.
Recital 87 of the GDPR makes clear that when a security incident takes place, the charity should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.
What breaches does the charity need to notify the ICO about?
When a personal data breach has occurred, the charity needs to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then the charity must notify the ICO; if it’s unlikely then the charity don’t have to report it.
Page 16 of 22
However, if the charity decide it doesn’t need to report the breach, the charity needs to be able to justify this decision, so the charity should document it.
In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for individuals. Recital 85 of the GDPR explains that:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. The charity needs to assess this case by case, looking at all relevant factors.
Example
The theft of a customer database, the data of which may be used to commit identity fraud, would need to be notified, given the impact this is likely to have on those individuals who could suffer financial loss or other consequences. On the other hand, the charity would not normally need to notify the ICO, for example, about the loss or inappropriate alteration of a staff telephone list.
What role do processors have?
If its organisation uses a data processor, and this processor suffers a breach, then under Article 33(2) it must inform the charity without undue delay as soon as it becomes aware.
Example
Its organisation (the controller) contracts an IT services firm (the processor) to archive and store customer records. The IT firm detects an attack on its network that results in personal data about its clients being unlawfully accessed. As this is a personal data breach, the IT firm promptly notifies the charity that the breach has taken place. The charity in turn notify the ICO.
This requirement allows the charity to take steps to address the breach and meet its breach- reporting obligations under the GDPR.
Page 17 of 22
The charity must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If the charity takes longer than this, the charity must give reasons for the delay.
Section II of the Article 29 Working Party Guidelines on personal data breach notification gives more details of when a controller can be considered to have “become aware” of a breach.
What information must a breach notification to the supervisory authority contain?
When reporting a breach, the GDPR says the charity must provide:
a description of the nature of the personal data breach including, where possible:
the categories and approximate number of individuals concerned; and
the categories and approximate number of personal data records concerned;
the name and contact details of the data protection officer (if its organisation has one) or other contact point where more information can be obtained;
a description of the likely consequences of the personal data breach; and
a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
What if the charity does not have all the required information available yet? The GDPR recognises that it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. So Article 34(4) allows the charity to provide the required information in phases, as long as this is done without undue further delay. However, the charity expects controllers to prioritise the investigation, give it adequate resources, and expedite it urgently. The charity must still notify the ICO of the breach when the |
charity becomes aware of it, and submit further information as soon as possible. If the charity know the charity won’t be able to provide full details within 72 hours, it is a good idea to explain the delay to us and tell us when the charity expect to submit more information. When does the charity need to tell individuals about a breach? If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says the charity must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible. |
A ‘high
Again, the charity will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then
risk’ means the threshold for informing individuals is higher than for notifying the ICO.
Page 18 of 22
again the risk is higher. In such cases, the charity will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
Example
A hospital suffers a breach that results in an accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.
A university experiences a breach when a member of staff accidentally deletes a record of alumni contact details. The details are later re-created from a backup. This is unlikely to result in a high risk to the rights and freedoms of those individuals. They don’t need to be informed about the breach.
If the charity decides not to notify individuals, the charity will still need to notify the ICO unless the charity can demonstrate that the breach is unlikely to result in a risk to rights and freedoms. The charity should also remember that the ICO can compel the charity to inform affected individuals if the charity considers there is a high risk. In any event, the charity should document its decision-making process in line with the requirements of the accountability principle.
- the name and contact details of its data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal
data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
What information must the charity provide to individuals when telling them about a breach?
The charity needs to describe, in clear and plain language, the nature of the personal data breach and, at least:
Does the GDPR require any other steps in response to a breach?
The charity should ensure that the charity records all breaches, regardless of whether or not they need to be reported to the ICO.
Article 33(5) requires the charity to document the facts relating to the breach, its effects and the remedial action taken. This is part of its overall obligation to comply with the accountability
Page 19 of 22
principle, and allows us to verify its organisation’s compliance with its notification duties under the GDPR.
As with any security incident, the charity should investigate whether or not the breach was a result of human error or a systemic issue and see how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps.
DPA security breach
Under the Data Protection Act, although there is no legal obligation on data controllers to |
report breaches of security, many choose to do so and the charity believes that serious breaches should be reported to the ICO. Examples of personal data breaches include, the loss of a USB stick, data being destroyed or sent to the wrong address, the theft of a laptop or hacking. Find out more about how to report a data breach or call the ICO dedicated personal data breach helpline. Normal opening hours are Monday to Friday between 9am and 5pm. Telephone Number: 0303 123 1113 |
Breach reporting is changing under the GDPR
From 25 May 2018, mandatory breach notification is being introduced under the General Data Protection Regulation (the GDPR). For more details, please see the Personal data breaches page of our Guide to the GDPR. Failing to notify a breach when required to do so can result in a significant fine up to 10 million euros or 2 per cent of its global turnover. The fine can be combined the ICO’s other corrective powers under Article 58. So it’s important to make sure the charity have a robust breach- |
reporting process in place to ensure the charity detects and can notify a breach, on time; and to provide the necessary details. |
Page 20 of 22
Appendix/References
The principles are that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Lawful processing
Identify its legal basis for processing personal data and document this.
- Consent of the data subject
- Necessary for the performance of a contract with the data subject
Consent
- No assumed consent or consent by no action
- Must opt in
- Can be verbal – must be recorded
- All consent must be verifiable – keep records of how and when consent was given.
- Keep consent under review
- Q: would the individual have reasonably expected that their data would have been processed for this purpose at the time and in the context of the collection of their personal data?
Page 21 of 22
Withdrawing consent must be simple for the data subject.
Children
Systems may need to be put into place to verify individual’s ages and to obtain parental/guardian consent for any data processing activity.
Access
- Individuals can request access to their personal data – must respond within one month and must be free of charge.
- Individuals have a right to erasure of their personal data.
Breach of data
- Anything that is portable – equipment or pen drive/disk that contains any personal data of others must be password protected if taken off site.
- ICO to be notified of any breach not later than 72 hours of becoming aware of the breach.
- If the breach is likely to result in high risk to rights and freedoms of an individual, the data controller must notify the individual.
Penalties
- Noah’s Ark Charity is subject to harsh penalties if non-compliant.
- Consider the damage to our reputation if found to be non-compliant.
Page 22 of 22