Data breach reporting procedure

It’s for all employees and volunteers.

This procedure contains instructions on how to report a data breach/security incident where personal data has been lost, destroyed, corrupted or disclosed.

Examples include: when data is passed on without proper instruction; when data is made unavailable; when data is accidentally lost; or when information is disclosed to someone within Barnardo’s that should not see it.

Once a breach/incident is reported, our Data Protection Officer (DPO) will decide whether it meets the threshold of reporting to the Information Commissioner’s Office (ICO). The law requires us to report serious breaches/incidents to the ICO within 72 hours of discovering the incident therefore it is important that all breaches and incidents are submitted as soon as possible to allow for investigation.

You should report all data breaches/security incidents to your line manager or the data protection manager (DPM) for your business area in your line manager’s absence as soon as you become aware of them. You should also report if you only suspect a breach.

To report a breach, click on this link which will take you through to the assessment in OneTrust.  The process is fairly easy to follow, but additional guidance is provided in the link below.

Once you have completed the assessment your DPM will review and where needed will be able to clarify your responses directly through the assessment if necessary.  Where the DPM feels additional information is required on a number of questions, they may push the assessment back to you for completion and resubmission.  You will receive an email notification from OneTrust if your DPM has a question, where you need to provide additional information into the assessment itself, or to let you know the assessment has been approved.

If you are required to inform the individual whose information was breached, your DPM or the DPO will let you know.