Data Breach Process Overview

 

Paper or Electronic Breach

Identification

  1. A process should be in place to identify Data Breaches or potential Data Breaches.
  2. Once a data breach, or potential data breach, is identified, it should immediately be recorded using the Data Breach Recording Form Insert Link
  3. An individual may also raise a concern regarding a potential breach, this must be investigated
  4. Scouting Ireland should be informed immediately on 01-4956300 or dataprotection@scouts.ie
  5. Using the Data Breach Recording Form, a risk assessment should be carried out to identify if there are risks to the Rights or Freedoms of the individual Insert Link.
  6. If there is deemed to be no risk to the individual (if the data has been encrypted or is anonymised etc.) the reasons for this decision should be documented.
  7. Scouting Ireland should be notified by forwarding a copy of the Data Breach Form with the outcome recorded to dataprotection@scouts.ie.
  8. If there is a risk to the individual(s), the reasons for this decision must be documented and Scouting Ireland must be informed (within 48 hours of becoming aware of the breach).
  9. Scouting Ireland will inform the Data Protection Commissioner, as required, of becoming aware of the breach.
  10. If there is a high risk to the individual(s), the reasons for this decision must be documented, Scouting Ireland Data Protection Officer must be informed (within 48 hours of becoming aware of the breach) and every individual involved must be informed without undue delay. Scouting Ireland will, in turn, report it to the Data Protection Commissioner Office as required.

Assessment:

  1. Using the Data Breach Recording Form, a risk assessment should be carried out to identify if there are risks to the Rights or Freedoms of the individual Insert Link.
  2. If there is deemed to be no risk to the individual (if the data has been encrypted or is anonymised etc.) the reasons for this decision should be documented.
  3. Scouting Ireland should be notified by forwarding a copy of the Data Breach Form with the outcome recorded to dataprotection@scouts.ie.
  4. If there is a risk to the individual(s), the reasons for this decision must be documented and Scouting Ireland must be informed (within 48 hours of becoming aware of the breach).
  5. Scouting Ireland will inform the Data Protection Commissioner, as required, of becoming aware of the breach.
  6. If there is a high risk to the individual(s), the reasons for this decision must be documented, Scouting Ireland Data Protection Officer must be informed (within 48 hours of becoming aware of the breach) and every individual involved must be informed without undue delay. Scouting Ireland will, in turn, report it to the Data Protection Commissioner Office as required.

Notification:

If the Scouting Ireland Data Protection Officer is being notified of a breach, due to a risk or high risk to the rights and freedoms of the individual*, the following must be included:

  1. Description of the breach
  2. Categories of data involved (e.g. Contact details, Managing Medicines Forms, etc.)
  3. Number of individuals involved
  4. Description of likely consequences
  5. Description of measures taken or proposed to be taken to mitigate the risks
  6. Name and contact details of the Scout Group Data Protection representative

 

If an individual is being notified of a breach, due to a high risk to their rights and freedoms, the following must be communicated:

  1. Description of the breach in clear and plain English
  2. Description of measures taken or proposed to be taken to mitigate the risks
  3. Description of likely consequences
  4. Name and contact details of the Scout Groups Data Protection representative

 

Investigation & Outcomes

  1. If the Office of the national Data Protection Commissioner is involved, they will conduct an investigation and instruct on the actions to be taken to resolve the matter
  2. The outcome of this investigation will be communicated to the Scout Group
  3. The Scout Group must take whatever actions instructed by the Data Protection Commissioner
  4. The Scout Group must implement measures to ensure similar breaches cannot reoccur

*Note: Rights or Freedoms of the individual:

The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.