Data Breach Policy and Procedure

Introduction

Every care is taken by Comity Recruitment Ltd to protect personal data from situations where a data protection breach could compromise security.

This policy and procedure apply to all staff, trainees, trainers, learners, partners, suppliers, contractors, or third parties we work with. It should be read in conjunction with the below:

  • Data Protection Policy (GDPR)
  • Data Rights Policy and Procedure
  • Data Retention and Disposal Policy

The objective of this policy is to enable staff to act promptly to contain any breaches that occur, minimising the risk associated with the breach, and to take action if necessary to secure personal data and prevent further breaches.

Comity Recruitment Ltd expects its staff to embed security and prevention practices in their normal working day to ensure personal, or special category, data is protected for the purposes of the business and must take appropriate steps to safeguard this information.

Under the Data Protection Act, although there is no legal obligation on data controllers to report breaches of security, the new General Data Protection Regulation (GDPR) means:

We must report any breach that is likely to impact on data subjects. The procedure below is set out to help you identify when a breach has taken place and what the action should be.

What is a Data Breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the purposes of Comity Recruitment Ltd’s business.

A breach in IT security or an external threat to Comity Recruitment Ltd networks or systems should also be documented and investigated in the same way.

A personal data breach includes, but is not restricted to, the following:

  • Loss or theft of data or equipment on which personal or sensitive data is stored (e.g., loss of laptop, USB pen, iPad/Tablet device, or paper record).
  • Inappropriate access controls allowing unauthorised use.
  • Equipment theft or failure.
  • Unforeseen circumstances such as fire or flood.
  • Hacking attack.
  • Human error.
  • Offences where information is obtained by deceiving the holder of the information, Comity Recruitment Ltd.
  • Unauthorised disclosure of sensitive/personal data.

Destruction of paperwork or electronic records in accordance with the internal Retention and Disposal Policy does not constitute a breach.

What Type of Personal Data Does Comity Recruitment Ltd Use?

Definition of Personal Data:
Can a living individual be identified from the data, or, from the data and other information in your possession? If the data ‘relates to’ the identifiable living individual, whether in personal or family life, business, or profession, then it is Personal Data.

We collect Personal Data from jobseekers on their registration form and CV, which we then input into Comity Recruitment Ltd record system. This includes information such as:

  • Name, contact details, date of birth, emergency contact, ethnicity, NI number, bank details, disabilities, health information, criminal convictions (if applicable), their photo, and employment status.

The information we record whilst the jobseeker is registered with us is considered Personal Data.

We collect Personal Data from staff as they complete the recruitment process and in relation to their employment contracts. Each staff member will have an employee file on paper and an electronic record held on our central HR system. This includes information such as:

  • Name, contact details, date of birth, NI number, next of kin, bank details, pension details, certifications/qualifications, employment terms and conditions.

Comity Recruitment Ltd also records information relating to sickness absence and any incidents or disciplinary action that have occurred during their employment.

We hold Personal and Financial information about our Clients, Suppliers, and Third-Party Organisations. Although the amount of information we hold on individuals may be minimal and may relate to their business or profession, if they are identifiable as a living individual, it still counts as Personal Data.

The information we collect may be on paper, stored in electronic files, or stored within systems, but all formats constitute part of the individual’s Personal Data, and as such must all be protected by Comity Recruitment Ltd employees against a breach occurring.

How Will Comity Recruitment Ltd Assess the Risk?

Some data breaches may not lead to risks beyond possible inconvenience to those who need the data to undertake their role. Following immediate containment, the risks must be assessed which may be associated with the breach, potential adverse consequences to the individuals, as well as Comity Recruitment Ltd itself, and the seriousness of the breach must be considered further to immediate containment.

Data security breaches will vary in impact and risk depending on the content and the quantity of the data involved. Therefore, it is important that Comity Recruitment Ltd is able to quickly identify the classification of the data and assess the risk to data subjects or Comity Recruitment Ltd.

For the purposes of this policy, data security breaches include both confirmed and suspected incidents.

The following must be considered upon discovering a data breach:

  • The type of data involves its sensitivity.
  • If data has been lost or stolen, whether data has been protected by encrypted devices or software.
  • What has happened to the data, such as the possibility that it may be used to cause harm to the individual(s).
  • Who the individuals are, the number of individuals involved, and the potential effects on those data subjects.
  • Whether there are wider consequences to the breach.
  • Whether any actions have been taken during the breach that contravene the policies, procedures, and training in place.

What Do You Do if You Discover a Data Breach?

It is important that you play a part in reporting the breach. For Comity Recruitment Ltd employees, failure to follow the correct procedure or ignoring a possible data breach may result in disciplinary action.

Identifying and Reporting a Data Breach:

  • If you discover a data breach, you must report this to our Data Protection Officer (DPO) immediately.
  • The Data Protection Officer is Edward Amusan, and any breach, or suspected breach, can be sent for his attention at ed***********@co***************.com.

All breaches, big or small, regardless of the harm or potential harm, should be identified and reported.

False alarms or even breaches that do not cause any harm to individuals or to Comity Recruitment Ltd should nevertheless be reported, as it will enable Comity Recruitment Ltd to learn lessons in how to respond and the remedial action that we put in place.

Becoming Aware of a Data Breach – Investigating

We become aware of a data breach when we have a reasonable degree of certainty that a security incident has occurred that has led to personal data or security being compromised. From this point, our time limit for notification to the Information Commissioner’s Office (ICO) will commence.

When you report a data breach to Comity Recruitment Ltd’s DPO, they will promptly investigate the breach to ascertain whether we are fully aware that a breach has occurred leading to personal data being compromised for our data subjects.

The investigation will be done within 48 hours of a breach being reported to Comity Recruitment Ltd so that it can ensure it complies with the 72-hour deadline to report any data subject or serious security breaches in a timely way to the ICO.

Assessing a Data Breach

Once you have reported a breach and our DPO has investigated it and has decided that we are aware that a breach has occurred, the DPO will log the breach in our GDPR Data Breach Register and will carry out an initial assessment of the breach to evaluate its severity.

Once the level of severity is known, our DPO will notify the director. If necessary, we will appoint a response team, which may involve, for example, our HR and IT teams, and we will assign responsibility for tasks as necessary across the response team.

We will then investigate the breach and consider any ongoing risks to Comity Recruitment Ltd and any individuals affected.

If our DPO and director consider that the breach is profoundly serious, they will consider the impact on our reputation and the effect it may have on the trust placed in us.

Formulating a Recovery Plan

Our DPO and director will investigate the breach and consider a recovery plan, if required, to minimise the risk to individuals.

As part of the recovery plan, our DPO and director may interview any key individuals involved in the breach to determine how the breach occurred and what actions have been taken.

Notifying a Data Breach to the Information Commissioner’s Office (ICO)

Unless the breach is unlikely to impact data subjects or result in a risk to the rights and freedoms of individuals, we must notify the breach to the ICO within 72 hours of becoming aware of the breach.

The content of the notification will be drafted by our DPO, and any notification to the ICO must only be made by the DPO.

Notifying a Data Breach to Individuals

We must also notify the individuals concerned as soon as possible where the breach is likely to result in a high risk to their rights and freedoms.

The content of the notification will be drafted by our DPO in line with our procedures and in conjunction with consulting the ICO if considered necessary. We will notify individuals in clear and plain language and in a transparent manner (e.g., by email, SMS, or letter).

Please be aware that under no circumstances must you try and deal with a data breach yourself.

In some circumstances, we may not need to notify the affected individuals. Our DPO will decide whether this is the case.

Notifying a Data Breach to Other Relevant Third Parties

We may also consider that it is necessary to notify other third parties about the data breach depending on the nature of the breach. This could include:

  • Insurers
  • Police
  • Employees
  • Clients
  • Sponsors
  • Banks
  • Contract counterparties

The decision as to whether any third parties need to be notified will be made by our DPO and director. They will decide on the content of such notifications and act within 5 days of becoming aware of the data breach.

Updating Notifications

We need to keep the ICO up to date about the data breach. If anything changes from the time we send the initial notification to the ICO, our DPO will consider whether we need to update the ICO about the data breach.

Evaluation and Response

The key to preventing further incidents is to ensure that Comity Recruitment Ltd learns from previous incidents.

It is extremely important to identify the actions that Comity Recruitment Ltd needs to take to prevent a recurrence of the incident.

Our DPO and the director will carry out an evaluation as to the effectiveness of our response to the data breach and document this in our GDPR Data Breach Register. The director may then make changes to Comity Recruitment Ltd procedures to minimise the likelihood of incidents occurring again.