BIOR is committed to safeguarding personal data.
This Data Breach Policy explains the responsibilities of BIOR where data security has been breached. The breach is normally some kind of security incident that affects the confidentiality, integrity or availability of data.
BIOR staff, contractors and centre staff must be made aware of, understand and follow this policy.
Whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed this must be advised to BIOR’s AO Manager who will report this onto the Data Compliance Officer (DCO).
A data breach may occur where:
BIOR, or a centre where they experience a data breach are required to establish the likelihood and severity of the resulting risk to people’s rights and freedoms.
What to do if there is a data breach at a BIOR Centre
Where a centre delivering BIOR qualifications experiences a breach it must notify BIOR of this. The following information should be provided within 24 hours, or sooner:
BIOR and any centre experiencing a data breach must take steps to detect and investigate the circumstances.
If the breach is likely to impact BIOR systems and data please notify BIOR’s AO Manager immediately. Similarly, if a breach is notified to the ICO please advise the BIOR immediately.
Core response - The incident response cycle
The four core response stages are 1) Analyse, 2) Contain, 3) Remediate and 4) Recover
Throughout the response, all tasks and findings will be tracked. Findings and analyses correlated, response actions re-prioritised.
What BIOR, or its centres must notify to the ICO (Information Commissioners Office)
Depending on the likelihood and severity of the resulting risk to people’s rights and freedoms of the breach and if there is a risk then the ICO must be notified.
In assessing the risk Recital 85 of the GDPR explains that:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
As such this means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. The BIOR may also require reporting the breach to Ofqual if there is a potential adverse effect.
If the BIOR or a centre decides not to report the breach to the ICO, it must be able to justify this decision, and so must be documented.
Any breach notifiable to the ICO must be done without delay, or within 72 hours from the point the organisation is aware of it.
BIOR and its centres must keep a record of any personal data breaches, regardless of whether they are reported to the ICO.
Any data breach must be reported to BIOR’s AO Manager.
Any questions on this policy or process should also be directed to the BIOR’s Legal Adviser.