Data Breach Form – Follow My Link

This form can be used to ensure all relevant issues are addressed. It will automatically be sent to SDC HR.

This form should be completed by the person who has responsibility for data protection within your organisation when investigation into the breach has been completed.

A copy of this form will be emailed to the person who completes it and should be filed for future reference and in case the ICO requires to see it.

Name of organisation:

Name of person completing this form:

Email address of person completing this form: *

Email address of person to receive a copy of this form: *

Date and time form completed:

Validation

If 'Other' provide a brief description of the type of event:

Who notified us of this?

a data subject who is affected
one of the businesses who process personal data for us
a member of the public
an employee of our organisation
a business partner or other stakeholder for our organisation

Describe what we were first notified of:

Who was first notified?

Name and Job Title

What was the date and time of day when we were first notified?

Do the circumstances reported involve personal data held by our organisation?

Yes
No
Not sure

Do the circumstances reported involve personal data held by a business that processes personal data for us?

Yes
No
Not sure

Do the circumstances reported involve personal data that we process on another organisation's behalf?

Yes
No
Not sure

Note: if ‘yes’ we must notify the other organisation immediately.

Initial assessment: do the circumstances reported potentially constitute a data breach?

Yes
No
Not sure

If ‘yes’ investigate as per ‘Response Plan’ in Data Breach Policy. If ‘no’ consider recording in Data Breach Log as a ‘near miss’. If ‘not sure’ investigate further to determine.

Investigation

To be completed once investigation completed

Describe the data asset/s that are affected:

e.g. email system, manual file, data on server or computer, etc

Do those affected include children or vulnerable adults?

Approximately how many records are affected?

Approximately how many data subjects are affected?

Is the data encrypted or otherwise protected by security measures?

If so, does encryption or other security measure/s mean the data is likely to be inaccessible?

Was the personal data affected already within the public domain?

Yes
No
Not sure

i.e. could it be discovered by a member of the public from available resources?

Are the types of personal data affected likely to cause a risk of harm or prejudice to rights and freedoms?

Note: if ‘yes’ then action must be taken to report to Information Commissioner’s Office within 72 hours of when we became aware of the breach. Serious breaches should be reported to the ICO’s security breach helpline on 0303 123 1113 (open Monday to Friday 9am to 5pm). Select option 3 to speak to ICO staff who will be able to assist. Alternatively, notification should be in writing to ‘casework@ico.org.uk’ or by post to the ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

If there is a risk of harm or prejudice to rights and freedoms, is this risk highly likely?

Note: if ‘yes’ then action must be taken to report what has happened to the data subject/s themselves and provide any suitable advice they can follow to minimise this risk. See ‘Informing Data Subjects’ in the Data Breach Policy.

Mitigation

Is any Personal Data pseudonymised so that the Data Subjects are not identifiable?

Describe what caused the breach:

What measures have been taken (or are proposed) to address possible effects of the breach?

Have these measures been effective?

What measures have been taken (or are proposed) to ensure there is no further occurrence of this type of incident?

Reporting

Has this event been reported to the Information Commissioner's Office?

If 'yes' what was the date and time of day that it was reported?

If 'no' why was the decision taken not to report

Has this event been reported to the data subject/s affected?

If 'yes' what was the date and time of day that it was reported?

If 'no' why was the decision taken not to report to the data subjects?

Record Keeping

What type of records are on file regarding this event:

List of documents on file:

Has an suitable entry been made in our Breach Log or record of breaches or near misses?

Name

Privacy Notices
Data in this form is processed by SDC HR as an article 28 GDPR processor to the organisation above. As such SDC HR is a data processor and the data controller is the organisation in question, which should ensure that this processing activity is reflected in its privacy notice/s.