Data Protection Breach Reporting Procedure

 

As a Chambers, we are responsible for ensuring that personal data processed by the Chambers is not:

  • Accessed without authority;
  • Processed unlawfully;
  • Lost;
  • Destroyed; or
  • Damaged.

Nevertheless, we realise that sometimes things may go wrong, and we might fail to achieve one or more of our data protection responsibilities. If this does happen, we must take steps to try to put things right. However, we can do this only if we know there has been a problem. Therefore, everybody within Chambers has a duty to report any actual or suspected data breach, regardless of whether they have discovered or caused it.

WHAT IS A DATA PROTECTION BREACH?

A data protection breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Data protection breaches can happen for a wide range of reasons, including:

  • Human error;
  • Cyber-attacks;
  • Loss or theft of devices or equipment on which personal data is stored;
  • Inadequate or inappropriate access controls;
  • Deceit; and
  • Disasters at Chambers’ premises, for example, fire or flood.

If you are unsure whether a particular circumstance or incident constitutes a data protection breach, please refer the matter urgently to the Head of Chambers, Isabelle Watson and Data Protection Manager, Clive Barrett, for Guidance.

REPORTING DATA BREACHES

Reporting of data breaches by Barristers and Chambers

The person who created the breach will report the breach to the Information Commissioner’s Office (ICO) within 72 hours after becoming aware of the breach.

[Guidance on reporting a breach to the ICO is on page 3 of this document].

Although, as data controllers, Barristers are under no regulatory obligation to report a breach to Chambers and are responsible individually for compliance with the notification and reporting obligations of the GDPR, nonetheless, Chambers recognises the role undertaken by Chambers as a Data Processor and acknowledges an obligation to support Data Controllers in those cases where it is appropriate to do so.

Therefore, in the case of a data breach caused by a Member of Chambers, the Barrister is requested (in addition to regulatory obligations) to report the breach to Isabelle Watson, Head of Chambers and Clive Barrett, Data Protection Manager.

Chambers, in its capacity as data processor, will support any Barristers reporting and managing data breaches.

Reporting of data breaches by Pupils and Staff

All personal data breaches involving pupils and staff must be reported by email to the Head of Chambers and Data Protection Manager for their Guidance immediately upon discovery.

The person who created the breach will report the breach to the Information Commissioner’s Office (ICO) within 72 hours after having become aware of the breach.

[Guidance on how to report a breach to the ICO is on page 3 of this document].

When making a report, please detail:

  • the nature of the suspected breach (theft, loss, destruction)
  • the nature of the data involved in the breach (sensitive, personal, commercial etc.)
  • the scope of the breach (single client, multiple client, internal data)
  • a description of the events relating to the breach (overview of why the breach came about)
  • any chambers’ staff, barristers and/or other parties involved
  • when the breach occurred
  • any other information considered relevant

How to report a breach to the ICO

To report a breach, call the ICO helpline at 0303 123 1113 (normal opening hours are Monday to Friday between 9.00 am and 4.30 pm).

The ICO will record the breach and give you advice about what to do next.

To report a breach outside of their normal opening hours, you can report online. Click here to access the relevant page of the ICO website, scroll down and select the ‘Personal data breach reporting form’, which will open into a downloadable Word document.

Complete the reporting form and email as follows:

  1. In the subject box of your email, insert ‘Personal data breach notification’.
  2. cc… clive.barrett@4bc.co.uk
  3. Attach the reporting form and email it to casework@ico.org.uk

Based on your information, the ICO should contact you within seven calendar days to provide information about their next steps.