Annex 2: Breach risk assessment guidance

If you are notified by someone that works for us of a potential data breach, use this as a guide to assess a potential breach against these points. This will help the Data Protection Officer assess if the Information Commissioners’ Office needs to be notified or not. Any potential breach is to be logged regardless of whether it is reported to the Information Commissioner’s Office.

 

  1. What type of data is involved? 
  2. How sensitive is it? (Remember that some data is sensitive because of its very personal nature (health records) while other data types are sensitive because of what might happen if it is misused (bank account details)
  3. If data has been lost or stolen, are there any protections in place such as encryption? 
  4. What has happened to the data? (If data has been stolen, it could be used for purposes which are harmful to the individuals to whom the data relate; if it has been damaged, this poses a different type and level of risk)
  5. Regardless of what has happened to the data, what could the data tell a third party about the individual? (Sensitive data could mean very little to an opportunistic laptop thief while the loss of apparently trivial snippets of information could help a determined fraudster build up a detailed picture of other people)
  6. How many individuals’ personal data are affected by the breach? (It is not necessarily the case that the bigger risks will accrue from the loss of large amounts of data but is certainly an important determining factor in the overall risk assessment) 
  7. Who are the individuals whose data has been breached? (Whether they are staff, customers, clients or suppliers, for example, will to some extent determine the level of risk posed by the breach and, therefore, your actions in attempting to mitigate those risks)
  8. What harm can come to those individuals? (Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?)
  9. Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide? 
  10. If individuals’ bank details have been lost, consider contacting the banks themselves for advice on 
    anything they can do to help you prevent fraudulent use. 
  11. Decision

     

 

 

 

Loading...