How can I avoid a data breach?
There are many ways to keep people’s data safe, and we are here to advise you on the IT aspects of this, including encrypting data or laptops, backing data up safely, and protecting your systems from intrusion by third parties. There are also practical ways to ensure data is safe, such as filing data in a locked cupboard, keeping files in a place safe from flooding or fire, and archiving or deleting files you no longer need to keep.
What should I do if I think I may have lost, damaged or destroyed someone’s personal data?
First, seek to confirm if you’ve had a breach. There is a threshold that decides if it needs to be reported to the Information Commissioner’s Office (ICO) within 72 hours (of discovering the breach). Record what happened and why, who is involved, and a timeline including any actions you take.
Your priority is to establish what has happened to the personal data involved and to protect those who will be most affected. Can you recover the data? Can you ask the person to delete the file? If so, do! You should do whatever you can to protect those whose details have been released. Do whatever you can to avoid the risk of personal data falling into the wrong hands, for example changing all passwords and asking your staff to do the same.
The ICO has detailed guidance, a helpline or live chat facility, and a self-assessment tool you can use to decide if your breach is reportable or not.
Even if your breach isn’t reportable, you should do an assessment of any potential harm or detriment the data breach may cause to people. Is there a risk of identity theft, safeguarding or other harm or distress? It may be that you conclude it’s a simple mix up with little or no risk involved, or could it pose a serious risk? It’s good to be transparent in your process of assessing this risk, so the log and risk assessment are important.
Do I need to let people know?
If you think there is a high risk to them, you have a legal duty to tell them without undue delay. If you don’t think there is a high risk to the people involved, you don’t have to let them know. There’s nothing to prevent you telling people if you don’t think there’s a high risk, but you need to balance the potential of causing unnecessary worry, with the risk of potential harm. You may advise people to change passwords, look out for phishing emails or unexpected activity on their accounts, and on ways to protect themselves from identity theft.