0

Data Breach reporting webinar


hello I’m Kirsty Kia and I work in the
communications department here at the ICF I’d like to welcome you to today’s
webinar we’re talking about personal data breach reporting under the general
data protection regulation this webinar is aimed at data controllers
organizations responsible for personal data and will be giving advice and
guidance on how and when to report security breaches to the ICO we’ll also
share our experience of the first few weeks of breach reporting under the gdpr
and we’ll address some frequently asked questions so you’ll be hearing in a
moment from Laura Middleton who heads up the personal data breach reporting team
and from Chris green who works in our policy department Laura and Chris will
take you through a few slides and including your questions we expect the
session to run for around 4 to 5 minutes if you’re not able to stay with us
through throughout a recording of today’s webinar will be available from
tomorrow on the ICS website so let me turn to questions we’ve already had a
few submitted by email and Twitter but please ask questions as they occur to
you by emailing us at webinars at IC org UK or via twitter at IC o news we won’t
be able to address them all but we’ll make sure we answer the most frequently
asked so our na now hand over to Laura thank you article 33 of the gtp are sets
out the breach reporting requirement and it says that you must report certain
personal data breaches to the relevant supervisory authority which for most
aged controllers in the UK is going to be the ICU so we’re going to talk to you
about what constitutes a personal data breach their circumstances in which you
need to tell the ICO about it because not every breach is reportable and how
to report it so to get us started I’ll hand over to Chris thank you first what
is a personal data breach the GPR defines a person place breach as a
breach of security leeton to be accidental or unlawful destruction loss
alteration on authorized disclosure are or access to personal data is
transmitted stored or void processed what does this mean in practice
well it means that the breach can be more than just about losing personal
data which is probably what comes to mind when you think of one it also means
that breaches can be the result of accidental or deliberate causes so
personal data breaches can vary inside and include things like accessed by an
unauthorized third party sending personal data to incorrect recipients
deliberate or accidental action chlorine action by control or processor the
alteration of personal data about permission lots of availability of
personal data and yes personal data being lost or stolen
what should hopefully be clear is that a personal data breach is a breach of
security that can negatively affect personal data in a number of ways so
that’s what it is I’m going to give you some examples of what it isn’t
so people commonly refer to any contravention of the legislation as a
breach but only personal data breaches if you’ve just heard defined in which
we’re going to discuss further throughout the webinar are potentially
reportable so that means you don’t have to tell us about things like your
failure to respond to a subject Isis requests long time the fact that you’ve
sent marketing information to individuals without their consent and
like the Data Protection Act 1998 the GDP are only applies to living people
and so if it would be a breach but there’s only disease people involved it
won’t be a breach that you would need to report so we’re not saying that all of
those things are okay clearly you need to do something about them but the
breach reporting obligation doesn’t apply to them okay so one way of thinking about
personal data breaches is to use what is known as the CIA triad essentially a
personal data breach can be categorized broadly as a breach of security that has
compromised confidentiality the integrity or the availability of
personal data these are three key key elements of information security and are
reflected in article 32 the ginger Clark which concerns the security of personal
data think of the breaches in this way it can help you identify if you have
experienced one and the potential consequences for individuals which is
important when it comes to assessing risk which we’ll cover later on so let’s
look at these cache was in a bit more detail a confidentiality breach is where
there’s been an unauthorized or accidental disclosure of or access to
personal data this includes the disclosure of personal information to
someone who isn’t supposed to see it or where someone accesses information about
permission it also includes when information is lost and the data
controller can’t be certain its it hasn’t been accessed for example if
personal base has been left above a transport but later recovered think
about examples of things that are not reportable it will generally not be a
security breach if you have sent mails to address you hold a record for an
individual where the person has moved address what failed to inform you
because it’s not a breach of security it’s not something that needs to be
reported to the ICA well there may be instances when you should not be using
the post at all to send virtual data to to sensitivity there will be an
integrity breach when there is an author of unauthorized or accidental alteration
of personal data in other words this is where the integrity of personal data has
been maliciously or accidentally corrupted they could also include where
it’s partial lost or destroyed this includes technical issues such as data
held in computer systems being corrupted but can include things like hard copy
data being damaged due to fire or flood moving on to availability breaches there
will be an availability breach when there’s been an accidental or
unauthorized loss of access to or destruction of personal data again this
can include technical issues such as data being unavailable due to ransomware
attacks or hard copy records being lost or misplaced
however it’s not a security breach of personal data is not available due to
planned IDs
to maintenance what you should be able to see is that there’s quite a lot of
overlap between these categories and a bridge can be a combination of what a
law of them however you don’t need to worry about being able to place the
breach of your experience in one of these categories they’re designed to
help you identify that you’ve had a breacher in the minion on the gdpr now
that we’ve covered what personal data breach is we can start to look at what
the GDP requires you to do if you experience one of course you kerley
begin some manager breach when you become aware of it this is important
because the GTRs breach notification requirements kick in the moment you
become aware of one so when do you become aware of a personal day to breach
in terms of awareness the guidelines say that the controllers become aware of the
breach when it has a reasonable degree of certainty that a security incident
has occurred that has led to person base being compromised this would depend on
the circumstances in some cases it will be obvious from the outset that breach
has happened whilst in other cases it may be less clear whether the person
data has been compromised and so you may need to establish it this has happened
for example you may be contacted by an individual who informs you that they’ve
that you send them in personal data of another customer in error they may even
presenting you with evidence of this it will be clear at that point that breach
of confidentiality has occurred and so you can be sent over become aware or you
may detect a possible intrusion into your IT system well you don’t know if
any personal data has been accessed or affected you then check your system and
confirm that suppose that the personal data has been compromised as you’ve been
a clear evidence of a breach you’ve become aware the important thing is not
that you have the full picture of the breach will hear that you’re reasonably
confident that breach has occurred the any event you need to take prompt action
as soon as you just suspect or detects a possible breach so it’s important that
you and your staff can recognize it at personal based breached
there you have measures in place to detect and establish if a breach has
occurred and approaches rest place the matter to the relevant person or team
responsible for dealing with breaches again preparation is key and having
plans in place for respondents and personal data breaches will save time
and energy that can be best used to address the breach once you become aware
of a personal data breach you mean to have to notice how that breached the ico
however not if she needs to be reported well the
gdpr does say that you have to notify breach unless it’s not likely to result
in the risk and a risk to the rights and freedoms of natural persons this means
that you’ll need to do a risk assessment on becoming aware of a breach it’s a key
step in dealing with any breach as it not live on whether you need to notify
the ICO and potential individuals too if it’s likely to be a high risk but it
also can help shape your overall response to the breach by knowing the
potential risks to people so what risks say you’re assessing
essentially you need to establish the likelihood and the severity of the risk
to individuals rights and freedoms as a result of the breach this includes risks
to people’s privacy and data protection rights but also risk to their over from
the mental rights and interests if isn’t like if it’s like that there will be a
risk then you must notify the ice show but if it’s unlike because then you
don’t have to report it risk implies more than remote chance of some harm or
damage taking place so in assessing risk it’s important to focus on the potential
as well as the actual negative consequences for individuals some
personal data breaches will not lead to risks beyond possible inconvenience to
those who need the data to do their jobs however other breaches can significantly
affect individuals whose personal data has been compromised these effects adverse effects can
include emotional distress and physical and material damage it can also include
individuals loss of control over their data limitation of their rights
discrimination identity theft or fraud financial loss damage to reputation and
loss confidentiality it can also include any
other significant economic or social disadvantage to those individuals so you
need to think what the potential effects for breach are how severe these are and
how life can may also happen the focus should always be on protecting
those individuals and their data so it’s really important to have a process in
place why you carry out a risk assessment it’s preparation is key
having a mechanism already in place will save you time and effort during a breach so when assessing risk there are some
factors that you your assessment should take into account to help you identify
the risk to individuals including both the severity and likelihood for this
occurring so this includes the type of breach depending on what sorts breaches
taking place there may be a different set of consequences for individuals so
think of a disclosure of medical information versus a loss of medical
information the nature sensitivity and volume of personal data are affected
usually the more sensitive the data the greater the risk of harm or damage that
could result a combination of data is typically more sensitive than a single
piece of information small amounts of highly sensitive data can have a large
impact on one person but also large volumes of data which can reveal a
greater range of details a bus person could similarly have great effects how
easy is it to identify individuals from the data some data may not see my
prosecute first but if it’s actually relatively easy to identify individuals
then the risk may be greater how severe are the consequences of the breach think
of those earlier consequences we mentioned earlier identity theft fraud
physical harm distress humiliation or damage to reputation also how permanence
of these effects and are they any special characteristics of individual or
your organization for sample is the individual child are they vulnerable or
may they be more successful to manipulation or a greater risk of danger
as a result of breach is your organization processing large amounts of
special category data like medical details clearly a breach involving that
type of data can have a greater impact on people this is by no means an
exhaustive lift list and there can be other relevant factors depending on
circumstances but we all – you to consider all the relevant factors if and
when your experience breach so now hand you back over to Laura thank you so the
gdpr says that where feasible you should
report a breach within 72 hours of becoming aware of it so that is
82 real hours includes evenings weekends and holidays so you should use the 72
hours to contain the breach assess it and carry out your initial investigation
when you report the breach if more than 72 hours has passed since you became
aware of it you must explain why there’s been a delay and it’s not enough simply
to tell us that a breach has occurred again where feasible you should provide
the following information within 72 hours so firstly a description of what’s
happened including how many people are affected what categories of people are
involved what sort of records are involved how many of those records are
involved you also need to tell us about the likely consequences if you’ve made
the decision to report you’ve already considered the potential consequences to
the individual so you should be able to tell us about that you need to tell us
what you’ve done or what you’re planning to do to put the matter right so for
individuals involved in the breach and to stop something similar from happening
again and then finally you need to tell us
either the name of your data protection officer if you have one or another point
of contact where we can get more information so thinking back to the
earlier slide about what you need to do within 72 hours if any of the
information there is provided more than 72 hours after you became aware of the
breach you should tell us the reasons for the delay in providing that
information so that said the gdpr does recognize that it’s not always possible
to investigate the breach fully within 72 hours to understand exactly what’s
happened and exactly what needs to be done to mitigate it and for this reason
it allows you to provide information in phases so when you report to us we’ll
discuss with you the timescales for providing more information which will
depend on how serious the breaches so in most cases we’ll probably allow you a
couple of weeks to provide more detail but if a breach is serious we’ll want to
be speaking to much more frequently so would let you
know if that’s something that you need to do okay shall we pause for a few
questions and we’ve had a a few in this is one about reporting so currently when
reporting information security breaches we’ve completed the online form and
submitted all the information that way however should we be reporting the
breaches via phone call in the first instance okay so we’ve got two options
available and so we have the phone line the phone lines open Monday to Friday
9:00 to 5:00 and then the webform is available 24/7 so it’s really up to you
as to how you report what I’ll say a little bit later on is if you’re looking
for some help you know advice and guidance from the
ico about what you need to be doing I would always suggest keeping as a ring
talking it through with somebody and what we’ve found from people who use
that service if they tend to go away quite reassured on that conversation but
if they’re not sure what to do they’ve got a bit of a checklist of things to be
action in following that call if that’s something that you don’t feel that you
need to do that you’ve got it in hand in this you know just about complain with
your legal obligation to get that report in then how can they use the online form
but if you submit in an online form and you’ve got requests in there for their
help on different aspects it might take us a bit longer to get up to you so okay
good advice this question asks what if I decided reach isn’t reportable but later
on the IC o—- contacts us because you heard about it in a different way okay
that’s fine and again slightly later in the presentation
we’ll talk to you about another obligation you have even if you breach
isn’t reportable but what we’d be asking you to do is potentially we would make
contact to say we’ve heard about this is this something that you know about so
we’re looking to see that you’ve got that situation under control and we’ll
probably be having the same sort conversation it would be happy and
having if you didn’t report it and then at the end of that which with
perhaps have a decision about whether or not it’s something that we did want to
make a record of whether we just sounds like things on a case-by-case basis okay
and this is a question about backlog and triaging so what’s the backlog and time
frame for the ico dealing with incidents and how does the ico triage its
incidence okay so every case that comes in is looks as hopefully on the day that
it’s received or very shortly afterwards so we are looking to make sure that we
are acting on very serious breach reports as soon as possible and they
come in and so if you submit something that is of concern to us in that way
then we’ll be contacting you back very quickly so that you know what we need to
do what you need to be doing this what we’re intending to do next
so if you don’t hear from us for a little while after that that’s good in a
way because that is reassuring to you that it isn’t something that we consider
to be really serious so we do have a caseload of cases because as you’ll see
a little bit later on we’ve received a lot of reach reports since gdpr came
into force and so we’re working our way through those but we will get to them
also you will hear from us at some point if you’ve reported something okay good
and then one final one perhaps before we carry on with the presentation and this
is the question about advice and through the helpline so how far does the ico day
to advise a data controller when to notify the Information Commissioner’s
Office so this person was at a conference and was told that the ICO
would advise when notification is required but obviously from their live
experience the decision what we’re saying is that obviously the decision to
report is that of the day to controller so where does it actually sit yep it
sees the danger controllers decision about whether or not they report so
certainly if you contact us by phone then we can talk you through the
different things that you – way up so you know applying the things
that Chris talked about in terms of risk assessment to that particular situation
you’re talking it through with you but ultimately we’re not going to make that
decision because we can only go off the facts as you present them and if there’s
other information that you know that you don’t share that you might make the
wrong decision okay good – thanks very much
okay so just sort of following up from one of those questions even if you
decide that you don’t need to report to the ICO there’s still something that you
need to do because the gdpr requires you to make a record about that
breach and that record should contain the facts relating to the breach so what
happened how it happened how many people were affected the effects of the breach
so you’d include in there your assessment of the consequences to
individuals and any remedial action they give taken okay so one of the frequent
conversations we have when organizations contact us to discuss breaches is
whether they should tell individuals involved and what they should tell them
what they should tell them so the legal obligation is to tell individuals about
a breach if there’s lights be a high risk to Rights and Freedoms
this means the threshold for informing individuals is higher than for notifying
the ICL so what does Hymas mean like risk high risk isn’t defined in the QPR
but the guidelines say that you should consider a combination of asperity of
the potential impacts on the rights of freedoms of individuals and their life
third of these occurring so it like what we’ve talked about the risk assessment
in the early slides clearly where the recumbent where the consequences of a
breach and more severe the risk is higher and similarly when the likelihood
of these occurring is greater the risk is also heightens when you report a
breach to the i/o we can provide advice about whether you should tell
individuals and the ICO has new powers on the GPR and we can require you to
tell individuals if we think this is necessary
if you decide that you’re not obliged to individuals about to breach but you want
to tell them anyway what you need to do is strike a balance between being open
and transparent individuals and causing them what we call notification
vacation fatigue this is where individuals are informed about so many
low-level breaches that they failed to register or absent what they’re told
when they have more serious breach and of course one of the main reasons for
informed individuals is to help them take steps to protect themselves from
the effects of a breach okay so we’re going to look at breaches that have been
reported it to the ACO over the last few months we expected to receive a
significant increase in the number of breaches competitive before the 25th of
May as you can see from that graph we were right to think that because there
has been the significant rise so the numbers applying to each of those
columns there are 398 reports received in March
367 in a problem 657 a.m. a 1792 in June nothing like a round number we think the
the increase in May obviously includes a few days of GDP are
being enforced in the May figures but also we saw a rallies throughout the
month of May because we think organizations were preparing their
breach reporting processes really getting their hands around what they
needed to do so they were voluntarily notifying us about DPA 98 features
before gdpr came in in terms of these sectors since the TTP are came into
force we’ve seen broadly the same sectors reporting the most breaches to
us so health education general business solicitors and barristers and local
governments are these sectors that have reported the most breaches to us since
the 25th of May whilst we’re on the subject of health breaches I just like
to remind organizations in the health and social care sector in England
including those that process Health and Social Care personal data under contract
so it’s not just the NHS but charities and
businesses that are doing that work that they should be using their new data
security and protection incident reporting tool to report breaches so I
understand from NHS digital that it’s quick and easy to sign up and so it
shouldn’t be a barrier to you getting you breach report in on time but it
might be better to sign up now and then if and when you have a breach
you’ve got everything ready that you need to do if you’re not going to have a
delay so we said we talked to you about our experience of dealing with these
breaches and so here are key themes three key themes that the breach is seen
from the cases they’re dealing with so we talked briefly before about the
different options available for reporting breaches so the first is the
subjective telephone reporting there’s two ways as I said that you can report
breaches we’ve got the breach reporting phone line and a form available online
one of the benefits of reporting by phone is that we can hopefully gather
all the information we need from you to make a decision about what we need to do
next and perhaps avoid follow-up
correspondence so potentially you can deal with it all in one one conversation
contacting us by phone is a good idea if you need advice about how to manage a
breach or whether to tell data subjects and it can be particularly helpful for
organizations that are perhaps experienced in their first breaches and
they’re a little bit unsure about what to do so hopefully you’ll go away from
that phone call with some reassurance that you’re on the right track we
introduced that for mine in November last year because we were getting ready
for gdpr and sorting out our processes but there is a greater demand for that
service as you can imagine versus the 25th of May so you may have to hold
particularly at peak times but we will get to you like I said if you’re
confident that you know what you’re doing you don’t need any assistance and
you just want to make sure that you make that report you may prefer to use
the online form and that’s available to you at times that we’re not as I hope
that we’ve emphasized today not every personal data breach needs to be
reported so controllers should assess the
likelihood and severity of risk to individuals before making that decision
to report you can call us for advice but we’re not going to make that decision
for you it’s one that you need to make we also don’t differentiate between
formal reports and informal reports so if you’ve told the ICO about to breach
then it has been reported that is a conversation that people have with us
you know is well I want to tell you this but I don’t necessarily want to report
it if you’ve told us it’s it’s reported and so it’s going to be recorded on our
systems and we’re going to deal with it in the same way we also have
organizations that tell us we don’t think this is reportable but we’re going
to tell you anyway to be transparent and once that’s great that you want to be
open with the regulator there’s no need to do that if you maintain the breach
record that we talked about earlier then if the ICO ever needs to understand your
reasoning behind whether to report or not what the consequences were to
individuals we can ask to see your records when we’re dealing with such a
high volume of breach reports as you saw from the earlier slide it’s potentially
distracting to us to receive notifications of incidents that aren’t
really reportable we want to be able to put our attention where it’s needed most
and then lastly incomplete reports so again the 72 hours isn’t just to email
or photos so we had somebody who phoned his up a few weeks ago and said the 72
hours is almost up but I don’t really know what happened but I know that I
need to make contact with you well that wasn’t really good enough all of the
things that we outlined is things that you need to tell the ICO when you’re
making your report things that you should be aiming to tell us within that
72 hour period on the other side it’s it’s not that helpful I think
either the ico or the reporting organization to try and get that report
in as soon as something’s happened so you can take some time to assess what’s
going on we received an email again a few weeks ago where somebody said oh
we’ve lost some pay slips and then about an hour later we got another email from
them that said oh we found those page lips that we told you that we’d lost and
so rather than reacting so quickly to try and tell the ICO about it that time
the perhaps would have been better spent just looking for the pay slips and
satisfying yourself that I think what I actually lost okay so that’s the end of
the slides thank you for listening and I think we’re going to do some more
questions yes we’ve got quite a few questions that have come in thank you
everyone for that and this is about reporting thresholds so why is the
reporting threshold for informing data subjects higher than the threshold for
reporting of reach to the ICO okay so one of the reasons for telling
individuals about breaches so they can take actions to protect themselves so
there they can be security incidents that are breaches that the impact
individuals might not be that great so we wouldn’t want to become a subsidy
mall the time about every single kind of incident that’s happened as it
Wendall’s fare earlier and he wanted to buy a notification fatigue because it
can happen where if you receive so many reports and it’s a minor or a level
breach that those people in future might not respond to the actions the
organization’s tell them to do which is what you want me to do when there’s a
really serious incident so that’s why I guess the threshold time individuals is
greater than for telling the ICO the other thing to think about as well is
sort of balancing so again we talked about being open and transparent and how
that’s like a key principle underpinning the GDP ah so it’s good that people are
thinking in that way but if the consequences of a breach a fairly minor
you might actually cause more to somebody by telling them that they’ve
been subject of it that would actually be caused by the breach itself because
you know potentially quite minor very little risk of not occurring that’s a
really good point and this is a question about what happens after an incident is
reported so we’re all reported incidents receive confirmation of closure from the
ICO even if the ICO considers that no further action is necessary yet our
current processes are that you should hear from us in in every case so you’ll
receive an acknowledgment when we get you report and then later on when we
possessed it you will hear from us again okay and this is an interesting one if
there’s no evidence that data has been accessed should we still assume a breach
of confidentiality has occurred if we found a weakness in security so really
what they’re saying is so if data has been left on a system accidentally but
has got incorrect access rights attached to it but there’s no evidence that
anyone’s actually accessed it is that something that they should still be
reporting it will depend on the circumstances that I mean a particular
incident as I said before there are a number of factors that you might want to
take into account so one of those in that case there is how long is that
information been left with potential that people can access is it just a
short while they’ve been up there for quite a few months and what’s the
sensitivity of the information is it something that actually disclosure
wouldn’t really cause significant harm to individuals and probably not but if
it’s information that’s obviously quite sensitive and it’s potentially put out
there for a long time you might want to assume that somebody potentially could
have accessed it but also depending on your system I mean it depends how good
your system isn’t picking up access to see that data so if it’s something that
you can tell and you’re reasonably confident and no one is accessed it then
you’ve quickly contained it then maybe you’re getting the risk isn’t that great
and wasn’t required notification so again it depends on the circumstances of
each case okay thank you I think this will be a quick answer are we allowed to
use our own phones rather than your form the ICO form and
to report breaches okay so there’s nothing in the legislation that says how
you have to report so you know if you send us an email and it’s got the
information in your sends your own form and it’s got the information in then
that’s going to constitute a valid report however we’ve produced the phones
because we want to make sure that we’re capturing all of the information we need
as you can see with the volumes we’re dealing with we want to make the process
at the ICO is as slick as quick as possible
essentially if you’ve got your own form and it doesn’t include some of our
questions then we’re probably going to be coming back to you for more
information so I would say if you can use our form I would rather you use that
but you’re not going to be which we boy isn’t going to be rendered invalid
because you’ve you’ve used the wrong thing good thank you and this is a
question about the 72 hours when does the clock and start ticking when the
processor finds out about a data breach or when the controller finds out you
know you were talking about that earlier what you press and yeah I mean the
requirement in gdpr is that if you do employ a
processor against processor to do process person page on your behalf and
the processor detects a breach their obligation is to inform users to control
without one judaai and at the point you become informed by the processor been
and batsmen would be considered you would be considered aware of the breach
occurring and then that would start the clock
so it’s important that in your contracts really processor that kind of sets out
what the process should be for inform and use the controller in the event of a
breach okay and this is a question about scale again I think it’s probably gonna
be and it depends answer but should we be reporting individual data breaches
and that’s a single customer who’s map sent a letter relating to another
customer due to a problem you know with envelope stuffing what level of you know
what level of customers how many customers need to be affected before
this becomes a material and therefore reportable breach so what we need to
look up there here’s a look at their data so one
person can be affected in a very significant way by a breach okay again
sort of a more specific one but if data sent to an old address and not an
because a new one isn’t provided is that a personal data breach if you’re sending
mail contain if you’re send email tin personal data to an address that you
hold on file for a customer or an individual and that’s your you’re
satisfied that that’s the last known address of that person then if you send
mail there but action soon as our individual has moved but hadn’t told you
that isn’t a breach of security because it’s not something that’s unintended and
you wouldn’t know any different that the person is moved so that wouldn’t be a
personal beta breach however say that that being said if it’s if you’re
sending information that’s quite sensitive you need to consider whether
post is is the best channel and it may be there actually if you for example
you’ve not heard from a customer or individual for quite a long time and you
might want to check but that address is still their dress before you were
sending information out and if you failed to take those kind of steps where
it wouldn’t be appropriate and that potentially to a security issue but
generally speaking if you’re sending mails with address that you’ve got for
an individual and they’re not told you otherwise then know that that would be a
personal beta Grinch okay and this again is about the 72-hour and issue and so
probably one for you Laura this process is that we’ve had on
occasion had to report to breach without having all the information available at
the time I’m in these circumstances how should we be providing the additional
information once we’ve obtained it should this be by the online form or
through a phone call okay so when you will provide
so it’s going to going to be different depending on the circumstances of the
case but in most circumstances if you’re providing follow-up information that you
would do that using the online phone and when you go onto the online form there’s
two buttons to choose from at the top so you can indicate that it’s either your
initial report or that it’s a follow-up report and if it’s a follow-up report
there’s a place to put your case reference so we can marry report that
information however if you’ve already spoken to somebody and you know that
you’ve got a case officer then they will contentiously have a discussion with you
about how they want to receive any further information because as I said if
it’s one of those most serious breaches that might be having a conversation with
you every day and they prefer to receive that by phone
rather than by email but by and large using the phone for website okay thank
you very much and this is an interesting one what are the most common data breach
types that are reported to you off the top of my head I don’t have that
information to hand but then don’t think there’s been a huge change from what we
used to see at the DPA that trend date is available on our website so that was
always lost and stolen data is a big one and that will either be in hard copy
form or we’re looking at lost devices so unencrypted devices like iPads phones
USB sticks and then data being sent by email and perhaps to a smaller degree by
fax to the incorrect recipient so using carbon copies that have blind carbon
copy is a big one or the old autocompletes
we type in the first few letters and you something you’ve got a similar name to
the person you actually want to send the information to so that’s still a very
common thing going through at the moment okay thank you
this is the question of capacity probably one that we should address so
this is really asking whether or not we’re going to get more staff on you
know when people call sometimes there and they’re waiting for a while or and
they get cut off if they left on hold what kind of job what about our plans
for making sure that we can handle the number of breach reports that we’re
getting okay so hard from of course giving this webinar of course so we are
recruiting on an ongoing basis we’ve had some new members of the team join us
recently and they’re undergoing training just what are the one of the things that
we’re doing to make sure that we can handle the number of breach reports that
we’re getting that increased number yes and you talked about waiting on the line
as well yeah so I would be surprised if people are being cut off because that
shouldn’t be happening within our telephony system so if people have
experienced that before I would probably say that’s maybe a one-off or a
technical issues I’m hoping to at that time that’s certainly not something that
we’re doing is a way of managing calls as I said there are peaked time so
Friday afternoon seems to be a time that people report a lot of breaches to us so
you know we talked about reporting when you’ve got the rest information at the
right time but I would also say you know we’re not going to bite so maybe don’t
you sit there in the office and think okay I’ve got to ring now because I know
I’m going to run out of time if you’ve got that information earlier on in the
day give us a call because there are periods of time in the day
than others as I’ve said there might be a bit of an initial wait to get through
to us but if we can resolve all of your issues on that one call then that’s
potentially worth kind of hanging on and doing rather than somebody was an email
but then having a number of email exchanges once we have obtained the
information that we want from you and yes we’re recruiting recruiting all the
time and not just recruiting new people but looking how we use the resource
within the organization so the personal data for each team sits within the
customer contact department and so that’s a large department is the
department that provides our regular helpline surveys and so we can look to
sort of flex people and roses and of course as you notice I alluded to to
begin with you know one of the purposes of doing this webinar is to help people
understand you know when they should be reporting you know so that you know
together we can help streamline that service which I think would be fair sort
it okay just time for one or two more and
again this is about the reporting and what is the 72 hours so there’s a
recognition by the ICO that information government governance staff don’t
usually work weekends so incidents may regularly be reported on a Monday or
Tuesday and following them taking place on the
previous Friday or Saturday so is that okay if that’s within 72 hours if the
organization becoming aware of the breach so yeah if you have the Friday
afternoon breach then you’ve got until Monday afternoon to report it that seven
tips are always laser but we would also say that you should have plans in place
in your organization as well so if you’ve got if you’ve got people working
over the weekend and breaches could occur then there should be some
mechanism that they have of flagging those up particularly in more serious
cases where actually might needs to be taken because I think what obviously
really ICO this webinar is about breach reporting so we’re going to be talking
about breach report into the ICO but we also need to remember that it’s not the
sole purpose of or the sole thing you should be thinking about when you’re
responding to a breach it’s about containing that breach working out here
it affects is it going to cause damage to people how do we stop it happening
again I’m just telling the ICO is part of that response so until it knows what
the one thing but they ain’t taking any action where action needs to be taken is
something else okay and then I think just one final one which hopefully we
could talk a bit about some of the resources that are already available but
maybe some other things that we’re going to do so with the ICO be providing case
studies to help data controllers understand you know what a what a breach
is to help them practice with with breach with what a breaches and when
they should report it we are having a look at everything that we we have on
the website about breach reporting so that’s certainly something that we can
we can take into account and it’s something that we know what we go to
conferences or we speak today to controllers that people are always very
keen on something whenever we talk about two examples it’s just important about
striking that balance but there’s always going to be like small factors that
might change a decision when completely so perhaps be be a little hesitant about
relying too heavily on examples because you are going to have to make your own
decisions based on the circumstances of your particular breach
it’s certainly something we can have there’s another time for it brilliant
okay well thanks again for joining us a recording of this webinar will be
available from tomorrow as I just said that there are lots of resources on our
website if you click on the report a breach tab from the home page you’ll
find lots of information there if you’re interested about interested in future
webinars or podcasts they all go into our monthly e-newsletter and you can
sign up for that from the website as well so thank you very much for
listening and goodbye you

Stephen Childs

Leave a Reply

Your email address will not be published. Required fields are marked *