Under GDPR certain types of data breach must be reported to the relevant supervisory authority (in the UK the Information Commissioner’s Office – ICO) within 72 hours of discovery and, in some cases, to the individuals affected. This is a tight timescale, considering you need to find out about the breach, establish if it is reportable and then report it to the ICO, even if it is just an initial report.
Under GDPR, the definition of a “personal data breach” is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. This means that a breach is more than just the loss of personal data; it is about whether the breach is likely to result in a risk to the rights and freedoms of individuals.
GDPRiS is designed to streamline the process of breach reporting, enabling your school to track and manage breaches and respond within these tight, new timescales. The breach reporting process in GDPRiS follows the guidance provided by the ICO.
All staff should be pro-active in reporting anything they believe may be a breach, whether from their own actions or if they become aware of other incidents. The Data Protection Manager in school and/or the DPO can then assess if it is a reportable breach or not and take the necessary actions to contain, to take measures to mitigate its possible adverse effects, and to ensure your school complies with GDPR.
Potential types of Data Breaches in School
Below are some examples of what could be classed as a Data Breach however the list is not definitive:
- An email sent out with the wrong child’s details on it
- A photo used without consent
- Laptop lost or stolen
- USB stick loss
- Exam results sent to a newspaper without consent
- An email with all addressees showing
- Information on the school website or social media without consent
ICO advice on preparing for a data breach
- Make sure that your staff understand what constitutes a data breach, and that it is about more than a loss of personal data
- Ensure that you have an internal breach reporting procedure in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority, individuals or the public
- In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place
When a breach is logged you will receive an email asking you to log in to GDPRiS.
Your breach notifications will also be available from your Dashboard immediately upon login and via the Breaches area of your site.
Record a Data Breach in GDPRiS
Access the Breach Area
Navigate to the Breach area via the Navigation Pane or the Data Breaches tile on the Dashboard.
Create a new Data Breach
Once you have navigated to the Breaches section, click the Add Breach button.
Select the date and time that the breach was Discovered from the calendar, which becomes visible once you click in the Discovered field. This is important to record correctly as this is the ‘start’ date and time for the 72 hours within which you must report ‘reportable’ breaches to the ICO.
Once you have selected Today or a time and date, click ‘Done’ at the bottom of the window.
Give your Breach a title in the ‘Title’ and provide a description of the data breach in the Description box below.
Upload a document if required using Choose or the Drag and Drop method.
Once you have finished adding your information, click Add to add your breach to your breach list in GDPRiS.
Note: When a breach has been created, all School DP Staff users will receive a Notification Alert - notification of possible data breach email. If a School DP Staff user is creating the breach, that user will not receive an email notification.
The email will show who and when the breach was created in the body of the email.
A notification will show on the notification icon at the top right of the portal when the breach is initially raised.
The Breach tile on the dashboard will show a breach has been added against the month in which it was discovered.
The breach will be visible in the Breaches area of the portal, including the role of who added it, when it was discovered, when it was logged with GDPRiS, the type of breach and the present status. When a breach is initially logged it will have no type or status.
Managing a Data Breach
All Data Breaches reported by any user of GDPRiS will be stored in your Breaches area.
To manage and update a Data Breach, go to the Breaches list, and click on the breach you wish to manage.
- Date/time a breach was discovered
- Date/time a breach was logged
- Who logged the breach
- Current Status (acknowledged / investigating / confirmed / actions completed / closed)
- Breach Type (non-breach / not reportable / Reportable – ICO / Reportable – Data Subjects)
- Original Description
- Most Recent Comment
- Attached Documents
- A log of all comments made in descending order (last 3 shown by default with total number of comments available shown)
- Adding comments to keep an ongoing audit trail of discussions, actions and decisions
- Attaching documents
- Change Current Status
- Change Breach Type
Updating a Breach
Navigate to the breaches area via the navigation pane and click on the breach you wish to manage.
Add relevant comments and/or questions or attach a document using Choose or the Drag and Drop method and change status and/or type. (When adding a document, you will be required to add a comment for audit purposes).
The breach title and description can be changed here but you will need to put a comment to justify the changes.
When making a change of status / type you must include a comment. This allows you to include a description of the document, explain the decision on changing status or clarify the decision on assigning a breach type.
Once you have completed the form click Save. An email notification will be sent to all School DP Staff users except the user who has made the update stating that a breach has been updated.
Tick Viewable by General Staff if you wish them to see any updates.
Adding Hyperlinks to Titles and Comments
It is possible to link to a webpage/shared URL on the title or within the comments box when updating a Data Breach.
You have 2 options for doing this:
- Type the URL i.e. google.co.uk – once you click Update the full Web/URL link will be apparent in the recorded comment.
- Type the text you wish to see within [ ] and the full URL within ( )
Example [GOOGLE](https://www.google.co.uk) once you click Update the text you wish to see will be apparent in the recorded comment.
The Breach List will also show updates to status and type.
Breach Colour Status
If the breach is new and has no type or status set, it will show up as RED.
If the breach has no type or the type is set to either of the reportable types i.e. Reportable-ICO or Reportable-Data Subjects, it will be set to RED and the 72 hour rule applies.
If the breach has a type of either Non-Breach or Non-Reportable, it will show up as WHITE and is not subject to the 72-hour rule.
If the 72 hour rule is close to being reached, it will show AMBER
Where an update marks the status as ‘Closed’ a warning box will appear to say ‘You are about to close this breach. Are you sure you wish to do this?’.
Once a breach is closed a General member of staff cannot update the breach.
DP Staff can reopen a breach by updating a breach and changing the status from Closed to a different status. This will allow you to enter and save the explanation for re-opening the breach.
NB: A notifiable breach must be reported to the ICO within 72 hours of your school becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases. More advice on this is available from the ICO Helpline: https://ico.org.uk/for-organisations/report-a-breach/
Breaches, even those that do not fall within the requirements for reporting to the ICO, will remain in your system as evidence of the actions you took, and proof of the procedures you followed.
General Staff Users
Whilst General Staff users can log and update Data Breaches themselves, they do not have the same access rights as the School DP Staff users.
General Staff users will have the following rights regarding Data Breaches:
- Create a Data Breach entry
- Update a Data Breach which was created by them if it is still open
- Will only be able to see Data Breaches which they have added themselves
- Will only be able to see updates where DP Staff have ticked the Visible to General Staff box
- Add comments when updating a Data Breach
- Add documents when updating a Data Breach
- See a Data Breach Status or type when updating a Data Breach
General Staff users will not be able to do the following regarding Data Breaches:
- Control who can see comments and/or documents
- Update the Data Breaches Status
- Update a Closed Data Breach
If a Data Breach is marked ‘Closed’ and a General Staff tries to update the breach, it will open in ‘Read Only’ mode.