Data Protection Policy

7.1    A data breach is the most series event which can occur under data protection legislation. A breach can come in many forms, but it is an event leading to the accidental or wilful/unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data and this can be transmitted, stored or otherwise processed.

7.2    There is a procedure in place for dealing with data breaches. In the event of a breach staff must:
•    Ensure the Data Protection Officer (DPO) is immediately informed of any breach or suspected breach;
•    The DPO will investigate the breach and where required inform the Information Commissioner’s Office (ICO) without undue delay, and in any event, no later than 72 hours after becoming aware of the breach;
•    Communicate with affected data subjects without undue delay if deemed to result in a high risk to the freedoms and rights of the data subjects.

7.3    There are many kinds of cybersecurity incidents.  Any cyber-attack or related incident will be reported to the ICO if there is a personal data breach.  This means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Any cyber incidents will be managed in accordance with the corporate management and risk and resilience team.

7.4    The Council will take appropriate action under the Council’s disciplinary and/or capability procedures for employees, or through contractual arrangements with third parties where the breach is a result of non-compliance with data protection legislation and Council policies.