Data Security Breach Policy
Data security breaches are increasingly more common occurrences whether these are caused through human error or via malicious intent. As technology trends change and the creation of data and information grows, there are more emerging ways by which data can be breached. Finance4U Group needs to have in place a robust and systematic process for responding to any reported data security breach, to ensure we can act responsibly and protect its information assets as far as possible.
Policy Owner
The group policy owner for this policy is the Proprietor Graham Daniels
The aim of this policy is to standardise the Finance4U Group response to any reported data breach incident and ensure that they are appropriately logged and managed in accordance with our best practice guidelines.
By adopting a standardised consistent approach to all reported incidents, it aims to ensure that:
Incidents are reported in a timely manner and can be properly investigated
Incidents are handled by appropriately authorised and skilled personnel
Appropriate levels of Finance4U Group management are involved in response management
Incidents are recorded and documented
The impact of the incidents are understood and action is taken to prevent further damage
Evidence is gathered, recorded and maintained in a form that will withstand internal and external scrutiny
External bodies or data subjects are informed as required
The incidents are dealt with in a timely manner and normal operations restored
The incidents are reviewed to identify improvements in policies and procedures.
A data security breach is considered to be “any loss of, or unauthorised access to, PFP data”. Examples of data security breaches may include:
Loss or theft of data or equipment on which data is stored
Unauthorised access to confidential or highly confidential Finance4U Group data
Equipment failure
Human error
Unforeseen circumstances such as a fire or flood
Hacking attack
‘Blagging’ offences where information is obtained by deceit
For the purpose of this policy data security breaches include both confirmed and suspected incidents.
This Finance4 U Group Ltd policy applies to all information we hold, regardless of format, and is applicable to all staff, visitors, contractors, consultants and data processors acting on behalf of Finance4 U Group Ltd It is to be read in conjunction with the Finance4 U Group Ltd Data Protection Policy and any other relevant documentation.
Information users: –
All information users are responsible for reporting actual, suspected, threatened or potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.
Supervisors are responsible for ensuring that staff in their area act in compliance with this policy and assist with investigations as required.
Data Protection Officer: –
The Data Protection Officer will be responsible for overseeing management of the breach in accordance with the Data Breach Plan. Suitable delegation may be appropriate in some circumstances.
Contact Details: –
In the event that the MD or DPO need to be contacted, Graham Daniels can be contacted via our contact form CLICK HERE
Data Classification
Data security breaches will vary in impact and risk depending on the content and quantity of the data involved, therefore it is important that PFP is able to quickly identify the classification of the data and respond to all reported incidents in a timely and thorough manner.
All reported incidents will need to include the appropriate data classification in order for assessment of risk to be conducted. Data classification referred to in this policy means the following approved Finance4U Group Ltd Data Categories: –
Public Data:
Information intended for public use, or information which can be made public without any negative impact for Finance4U Group Ltd
Internal Data:
Information regarding the day-to-day business and operations of PFP. Primarily for staff, though some information may be useful to third parties who work with Finance4U Group Ltd
Confidential Data:
Information of a more sensitive nature for the business and operations of Finance4U Group Ltd, representing the basic intellectual capital and knowledge. Access should be limited to only those people that need to know as part of their role within Finance4U Group Ltd.
Highly Confidential Data:
Information that, if released, will cause significant damage to Finance4U Group Ltd’s business activities or reputation, or would lead to breach of the data Protection Act. Access to this information should be highly restricted.
Data Security Breach Reporting
Confirmed or suspected data security breaches should be reported promptly to admin on our contact form. CLICK HERE The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved. Where possible the Data Breach Report form should be completed as part of the reporting process along with the Data Breach Log.
Once a data breach has been reported an initial assessment will be made to establish the severity of the breach and how it should be handled.
All data security breaches will be centrally logged in the Data Breach Log to ensure appropriate oversight in the types and frequency of confirmed incidents for management and reporting purposes.
Data Breach Management Plan
The management response to any reported data security breach will involve the following four elements. See below for suggested checklist.
Containment and Recovery
Assessment of Risks
Consideration of Further Notification
Evaluation and Response
Each of these four elements will need to be conducted in accordance with the checklist for Data Security Breaches. A Data Breach Log recording the timeline of the incident management should also be completed.
Staff, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.
The DPO will monitor the effectiveness of this policy and carry out regular reviews of all reported breaches.
Information Commissioner:
Evaluation of Incident Severity
The severity of the incident will be assessed per standard IS Incident Management Process (by this the DPO). All breaches of data protection will be reported immediately to the DPO for assessment.
Assessment would be made based upon the following criteria:
Major or critical breaches of data security – such as loss of over 1,000 data items, issues involving external third parties, likely media coverage, requiring immediate response.
Moderately critical beaches of data security – such as loss of data items between 100 and 999, Incidents not requiring immediate response.
Low or minor breaches of data security – such as Internal or Confidential Data, low number of individuals, small inconvenience to data subjects
Data Breach Action Checklists
Containment and Recovery
Assessment of Risks
Consideration of Further Notification
Evaluation and Response
The DPO will first access the severity of the breach and report if necessary to the ICO within 2 working days of becoming aware of the breach.
Data Protection Registration Number: ZB638471