Data Security Breach Policy

 

Data security breaches are increasingly more common occurrences whether these are caused through human error or via malicious intent. As technology trends change and the creation of data and information grows, there are more emerging ways by which data can be breached. Finance4U  Group needs to have in place a robust and systematic process for responding to any reported data security breach, to ensure we can act responsibly and protect its information assets as far as possible.

 

Policy Owner
The group policy owner for this policy is the Proprietor  Graham Daniels


Aim
The aim of this policy is to standardise the Finance4U  Group response to any reported data breach incident and ensure that they are appropriately logged and managed in accordance with our best practice guidelines.
By adopting a standardised consistent approach to all reported incidents, it aims to ensure that:

Incidents are reported in a timely manner and can be properly investigated

Incidents are handled by appropriately authorised and skilled personnel

Appropriate levels of Finance4U Group management are involved in response management

Incidents are recorded and documented

The impact of the incidents are understood and action is taken to prevent further damage

Evidence is gathered, recorded and maintained in a form that will withstand internal and external scrutiny

External bodies or data subjects are informed as required

The incidents are dealt with in a timely manner and normal operations restored

The incidents are reviewed to identify improvements in policies and procedures.

 

Definition
A data security breach is considered to be “any loss of, or unauthorised access to, PFP data”. Examples of data security breaches may include:

Loss or theft of data or equipment on which data is stored

Unauthorised access to confidential or highly confidential Finance4U  Group data

Equipment failure

Human error

Unforeseen circumstances such as a fire or flood

Hacking attack

‘Blagging’ offences where information is obtained by deceit

For the purpose of this policy data security breaches include both confirmed and suspected incidents.
Scope
This Finance4 U Group Ltd policy applies to all information we hold, regardless of format, and is applicable to all staff, visitors, contractors, consultants and data processors acting on behalf of Finance4 U Group Ltd It is to be read in conjunction with the Finance4 U Group Ltd Data Protection Policy and any other relevant documentation.

Responsibilities
Information users: –
All information users are responsible for reporting actual, suspected, threatened or potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.

Supervisors
Supervisors are responsible for ensuring that staff in their area act in compliance with this policy and assist with investigations as required.

Data Protection Officer: –
The Data Protection Officer will be responsible for overseeing management of the breach in accordance with the Data Breach Plan. Suitable delegation may be appropriate in some circumstances.

 

Contact Details: –
In the event that the MD or DPO need to be contacted, Graham Daniels  can be contacted via our contact form CLICK HERE


Data Classification
Data security breaches will vary in impact and risk depending on the content and quantity of the data involved, therefore it is important that PFP is able to quickly identify the classification of the data and respond to all reported incidents in a timely and thorough manner.

All reported incidents will need to include the appropriate data classification in order for assessment of risk to be conducted. Data classification referred to in this policy means the following approved Finance4U  Group Ltd Data Categories: –

 

Public Data:
Information intended for public use, or information which can be made public without any negative impact for Finance4U Group Ltd

 

Internal Data:
Information regarding the day-to-day business and operations of PFP. Primarily for staff, though some information may be useful to third parties who work with Finance4U  Group Ltd

 

Confidential Data:
Information of a more sensitive nature for the business and operations of Finance4U  Group Ltd, representing the basic intellectual capital and knowledge. Access should be limited to only those people that need to know as part of their role within Finance4U  Group Ltd.

 

Highly Confidential Data:
Information that, if released, will cause significant damage to Finance4U  Group Ltd’s business activities or reputation, or would lead to breach of the data Protection Act. Access to this information should be highly restricted.


Data Security Breach Reporting
Confirmed or suspected data security breaches should be reported promptly to admin on our contact form.  CLICK HERE  The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved. Where possible the Data Breach Report form should be completed as part of the reporting process along with the Data Breach Log.
Once a data breach has been reported an initial assessment will be made to establish the severity of the breach and how it should be handled.
All data security breaches will be centrally logged in the Data Breach Log to ensure appropriate oversight in the types and frequency of confirmed incidents for management and reporting purposes.


Data Breach Management Plan

The management response to any reported data security breach will involve the following four elements. See below for suggested checklist.

 

Containment and Recovery

Assessment of Risks

Consideration of Further Notification

Evaluation and Response

 

Each of these four elements will need to be conducted in accordance with the checklist for Data Security Breaches. A Data Breach Log recording the timeline of the incident management should also be completed.


Authority
Staff, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.
Review
The DPO will monitor the effectiveness of this policy and carry out regular reviews of all reported breaches.


References
Information Commissioner:
https://ico.org.uk/media/for-organisations/documents/1562/guidance_on_data_security_breach_management.pdf
Evaluation of Incident Severity
The severity of the incident will be assessed per standard IS Incident Management Process (by this the DPO). All breaches of data protection will be reported immediately  to the DPO for assessment.


Assessment would be made based upon the following criteria:

Major or critical breaches of data security – such as loss of over 1,000 data items,  issues involving external third parties, likely media coverage, requiring immediate response.

Moderately critical beaches of data security –  such as loss of data items between 100 and 999, Incidents not requiring  immediate response.

Low or minor breaches of  data security  –  such as   Internal or Confidential Data, low number of individuals, small inconvenience to data subjects

Data Breach Action Checklists

Containment and Recovery

Assessment of Risks

Consideration of Further Notification

Evaluation and Response

Reporting


The DPO will first access the severity of the breach and report if  necessary to the ICO within 2 working days of becoming aware of the breach.

Data Protection Registration Number:  ZB638471

​email  info@finance4ugroup.co.uk