Incident management policy
The New Apostolic Church UK Ltd (NAC UK) is responsible for protecting the information it holds and is legally required under the General Data Protection Regulation (GDPR) to ensure the security and confidentiality of personal information processed.
1. Policy statement
1.1. Every care is taken to protect information and to avoid a security incident, especially where the result is a data breach when personal information is lost or disclosed inappropriately to an unauthorised person. In the unlikely event of such a security incident, it is vital that appropriate action is taken to minimise any associated risk as soon as possible. We will investigate all security incidents classified as serious using a set plan and follow a Breach Management Plan in the event of a data breach.
1.2. This Security and Data Protection Incident Reporting and Management Policy is in line with the current Information Commissioner’s Office (ICO) guidance for reporting, managing and investigating breaches of personal data.
1.3. The NAC UK takes information security very seriously. The NAC UK understands the necessity to take prompt action in the event of any actual or suspected breaches of information security or confidentiality to avoid the risk of harm to individuals, damage to operational business and severe financial, legal and reputational costs to the organisation.
1.4. The GDPR introduces a mandatory requirement to report certain types of personal data breaches, which are likely to result in a risk to the rights and freedoms of individuals, to the ICO. The implementation of this Policy will ensure that personal data breaches are thoroughly investigated, with adequate remedial actions put in place and breach notification requirements complied with. In each case, specific GDPR provisions will be followed in a timely manner and within the specified timeframes.
1.5. GDPR Article 33(1): ‘In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.’
1.6. The NAC UK understands the severity of a failure to notify a reportable incident to the ICO. Failure to notify may lead to an administrative fine up to €10,000,000 or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
2.1. The objective of this Policy is to support the prompt and consistent management of information security incidents to minimise any harm to individuals or the organisation.
2.2. This Policy supports the strategic business aims and objectives of The NAC UK by:
- ensuring that The NAC UK has implemented an effective information incident management and response mechanism that supports the implementation and sharing of lessons learned
- ensuring that there is a considered and agreed incident response and communications plan available, including the reporting of ‘perceived’ or ‘actual’ breaches
- ensuring that the investigation and reporting of data protection incidents conform to GDPR requirements and do not conflict with the organisation’s policies and procedures
- facilitating the analysis of incident records to determine common threat patterns and existing threat vectors, to raise awareness and implement preventative measures
- ensuring that every member of staff at he NAC UK understands the importance of reporting and managing information security incidents to reduce the risk of a future breach and to mitigate the impact of any potential breach.
This Policy provides a framework for reporting and managing:
security incidents affecting [The NAC UK’s information and IT systems
losses of information
near misses and information security concerns.
Everyone has an important part to play in reporting and managing information security incidents in order to mitigate the consequences and reduce the risk of future breaches of security.
A natural or legal person, Public Authority, Agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
A natural or legal person, Public Authority, Agency or other body which Processes Personal Data on behalf of a Data Controller.
The process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.
Anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The process of encoding a message or information in such a way that only authorised parties can access it.
Information Commissioner’s Office (ICO)
An independent Public Authority in the UK responsible for monitoring the application of the relevant Data Protection regulation set forth in national law.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
Process, Processed, Processing
Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
An information security incident is any event that has the potential to affect the confidentiality, integrity or availability of information in any format. Examples of a Personal Data Breach include the following (please note, this is not an exhaustive list):
the loss or theft of data or information
unlawful disclosure or misuse of confidential data/the disclosure of confidential information to unauthorised individuals
using personal data in a way incompatible with the originally specified purpose
information security breaches and inappropriate invasion of people’s privacy
personal data breaches which could lead to identity fraud or have other significant impact on individuals
inappropriate access controls leading to unauthorised use
any incident which involves actual or potential failure to meet the requirements of the GDPR and/or the common law of confidentiality
loss or theft of paper records, data or equipment such as tablets, laptops and smartphones on which data is stored
inappropriate access controls allowing unauthorised use of information
attempts to gain unauthorised access to computer systems e.g. hacking
virus or other security attacks on IT equipment systems or networks
‘blagging’ or ‘phishing’, where information is obtained by deception
breaches of physical security e.g. forcing of doors or windows into secure room, or filing cabinet containing confidential information left unlocked in accessible area
leaving IT equipment unattended when logged in to a user account without locking the screen to stop others accessing information.
The Policy applies to all users of The NAC UK information. Users include all employees (including temporary workers and volunteers), suppliers and visitors who may have access to The NAC UK information. All users must understand and adopt this Policy and are responsible for ensuring the safety and security The NAC UK systems and the information that they use or manipulate. This includes both data stored electronically and in any other form.
Security of information
The new GDPR principle of accountability requires the Data Controller to be responsible for and to be able to ‘demonstrate’ and ‘evidence’ compliance with the Data Protection Principles.
The NAC UK is committed to putting in place adequate technical and organisational safeguards to prevent information security incidents and to establish immediately whether a breach has taken place. Technical safeguards can be thought of as physical protection ranging from ICT passwords and firewalls to building security, while organisational safeguards are aimed at employees (e.g. ensuring adequate training, policies and procedures are in place).
An Incident can be caused by a number of factors, such as:
negligence or human error
unauthorised or inappropriate access, including processing confidential personal data without a legal basis
loss or theft of information or equipment on which information is stored
systems or equipment failure
unforeseen circumstances such as fire, flood and other environmental factors
inappropriate access, viewing information for purposes other than specified/authorised, e.g. an individual browsing a record about an ex-partner to find their current address
unauthorised access, using other people’s user IDs and passwords
poor physical security
inappropriate access controls allowing unauthorised use
lack of training and awareness
‘blagging’ or ‘phishing’, where information is obtained by deception.
Procedure for incident handling
Events and weaknesses need to be reported at the earliest possible stage as they need to be assessed by the Church Office / Data Protection Officer.
Suspected Cyber Attack
Security events, for example a virus infection found within a malicious email attachment, could quickly spread and cause data loss across the organisation. All users must understand, and be able to identify, that any unexpected or unusual behaviour on the workstation could potentially be a software malfunction. If an event is detected users must:
note the symptoms and any error messages on screen
disconnect the workstation from the network if an infection is suspected (with assistance from IT services)
not use any removable media (for example USB memory sticks) that may also have been infected.
All suspected security events should be reported immediately to the Church Office.
The Church Office will require you to supply further information, the nature of which will depend upon the nature of the incident. However, the following information must be supplied:
contact name and contact number of person reporting the incident
the type of data, information or equipment involved
whether the loss of the data puts any person or other data at risk
location of the incident
inventory numbers of any equipment affected
date and time the security incident occurred
location of data or equipment affected
type and circumstances of the incident.
If the Information Security event is in relation to paper or hard copy information, for example personal information files that may have been stolen from a filing cabinet, this must be reported to the Church Office / Data Protection Officer.
Collection of Evidence
If an incident may require information to be collected for an investigation, strict rules must be adhered to. The collection of evidence for a potential investigation must be approached with care.
Breach management plan
There are four important elements to any breach management plan:
Containment and recovery
Assessment of ongoing risk
Evaluation and response
Containment and recovery
Data security breaches will require not just an initial response to investigate and contain the situation but also a recovery plan including, where necessary, damage limitation. This will often involve contributions from specialists across the organisation, such as IT, HR and legal and, in some cases, contact with external stakeholders and suppliers.
Consider the following:
Decide on who should take the lead on investigating the breach and ensure they have the appropriate resources.
Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. This could be isolating or closing a compromised section of the network, finding a lost piece of equipment or simply changing the access codes at the front door.
Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause. As well as the physical recovery of equipment, this could involve the use of back up tapes to restore lost or damaged data or ensuring that staff recognise when someone tries to use stolen data to access accounts.
Where appropriate, inform the police where there is evidence to indicate a crime has taken place.
Where appropriate, consider reporting a personal data breach to the ICO.
Assessment of ongoing risks
Before deciding on what steps are necessary following immediate containment, assess the risks which may be associated with the breach. The following points are also likely to be helpful in making this assessment:
What type of data is involved?
How sensitive is it?
If data has been lost or stolen, are there any protections in place such as encryption?
Regardless of what has happened to the data, what could the data tell a third party about the individual?
How many individuals’ personal data are affected by the breach?
Who are the individuals whose data has been breached? Whether they are staff, members, beneficiaries or suppliers, for example, will to some extent determine the level of risk posed by the breach and, therefore, your actions in attempting to mitigate those risks.
What harm can come to those individuals? Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?
If individuals’ bank details have been lost, consider contacting the banks themselves for advice on anything they can do to help you prevent fraudulent use.
Mandatory reporting to the ICO
Under GDPR, the NAC UK is required to notify the ICO of a breach where it is likely to result in a ‘high risk’ to the rights and freedoms of individuals.
Whether there is such a risk is also likely to vary depending on the type of data that is the subject of the breach and the type of breach that has occurred. A breach that is likely to have a significant detrimental effect on individuals, e.g. disclosure of an individual’s health or financial information, may be likely to have a significantly higher risk to the rights and freedoms of a data subject than a breach that leads to disclosure of member names with no further information about the individuals.
This must be assessed on a case-by-case basis. For example, you will need to notify the ICO about a loss of member details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.
The severity of the personal data breach/incident will be determined by the scale (numbers of data subjects affected) and sensitivity factors selected. If the outcome in terms of the severity of the incident is Level 2 (reportable), the incident should be reported to the ICO and escalated to other regulators, as appropriate. Please refer to Annex A – Incident Severity Assessment, which will help determine whether an incident is externally reportable.
Although the primary factors for assessing the severity level are the numbers of individual data subjects affected, the potential for media interest, and the potential for reputational damage, other factors may indicate that a higher rating is warranted, for example the potential for litigation or significant distress or damage to the data subject(s) and other personal data breaches of the GDPR. As more information becomes available, the personal data breach should be re-assessed. Where the numbers of individuals that are potentially impacted by an incident are unknown, a sensible view of the likely worst case should inform the assessment of the incident. When more accurate information is determined, the level should be revised as quickly as possible.
Please note: No reporting is required if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. For example, when lost data is protected, e.g. by appropriate encryption, so that no individual’s data can be accessed, then there is no data breach. When the data is protected but risk of individuals being identified remains, an incident should be reported.
Where a personal data breach is deemed reportable to the ICO, it must be reported without undue delay and, where feasible, not later than 72 hours after becoming aware of it.
Where a notification is not made within 72 hours of the data breach, The NAC UK must give a ‘reasoned justification’ to the ICO explaining the reason for the delay.
The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases. In practice, notification to the ICO may be required initially, followed by an in-depth analysis of the incident.
Communication personal data breaches to individuals affected
If the breach is sufficiently serious to warrant notification to the public, the NAC UK will do so without undue delay.
Informing people and organisations that you have experienced a data security breach can be an important element in The NAC UK’s breach management strategy. Considering the following will assist the organisation in deciding whether and how to notify:
Can notification help the individual? Bearing in mind the potential effects of the breach, could individuals act on the information you provide to mitigate risks, for example by being able to monitor any unusual or suspicious bank transactions, checking their credit rating, cancelling a credit card or changing a password?
If a large number of people are affected, or there are very serious consequences, you should inform the ICO.
Consider how notification can be made appropriate for particular groups of individuals, for example, if you are notifying children or vulnerable adults.
Have you considered the dangers of ‘over notifying’? Not every incident will warrant notification and notifying all 3,000 volunteers of an issue affecting only 20 volunteers may cause disproportionate enquiries and work.
You also need to consider who to notify, what you are going to tell them and how you are going to communicate the message. The notification should at the very least include a description of how and when the breach occurred and what data was involved. Include details of what you have already done to respond to the risks posed by the breach.
When notifying individuals give specific and clear advice on the steps they can take to protect themselves and also what you are willing to do to help them. For example, you may wish to pay for annual subscription to a credit reference agency where financial data may have been compromised.
Provide a way in which they can contact you for further information or to ask you questions about what has occurred – this could be a helpline number or a web page, for example.
There are, however, some circumstances when the notification to the data subject is not required, including:
The NAC UK has implemented appropriate technical and organisational protection measures in respect of the personal data affected by the breach (such as encryption).
The NAC UK has taken subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to arise.
It would involve disproportionate effort. A public notice or similar would be required to communicate the breach in those circumstances.
The ICO may compel The NAC UK to communicate a personal data breach with affected data subjects/individuals unless one of the three exemptions listed above is satisfied.
Evaluation and response
It is important not only to investigate the causes of the breach but also to evaluate the effectiveness of your response to it. Clearly, if the breach was caused, even in part, by systemic and ongoing problems, then simply containing the breach and continuing ‘business as usual’ is not acceptable; similarly, if your response was hampered by inadequate policies or a lack of a clear allocation of responsibility, then it is important to review and update these policies and lines of responsibility in light of the experience.
Incident severity assessment
Not all incidents have the same potential to adversely impact on the individuals whose data are involved. Assessing the severity of an incident relies on several factors, and there is no simple definition that covers what a serious incident entails. An incident that at first appears to be of minor importance may, on further investigation, be found to be serious and vice versa.
Although the full extent of an incident is only known after it has been thoroughly investigated, there is a need to ascertain whether the risk could be classified as serious at an early stage.
The crucial factors for assessing the severity level of an incident are:
the number of individual data subjects (e.g. beneficiaries, volunteers) affected
the potential for significant distress or damage to the person
the potential for reputational damage to the NAC UK
the potential for litigation
the potential for media interest
the type of personal data breach. Data breaches affecting special categories of data are more sensitive, and thus need to be treated more seriously than data breaches of personal data (refer to Appendix D for a complete list of what constitutes special categories of data).
Loss or theft of encrypted removable media (laptops, CDs, USB memory sticks, media cards, Personal Digital Assistants (PDAs)) would not constitute a reportable incident unless there is reason to believe that the protection afforded by these devices has been compromised, e.g. the key(s) used to unencrypt have also been compromised, the laptop was not configured to automatically enforce account lockout after a short time lapse without user interaction, or using an untested proprietary encryption algorithm.
There are two factors which influence the severity of an Information Governance Serious Incident Requiring Investigation (IG SIRI) – scale and sensitivity.
While any personal data breach is potentially a very serious matter, the number of individuals that might potentially suffer distress, harm or other detriment is clearly an important factor. The scale (as demonstrated in Table 1 below) provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors.
Sensitivity in this context may cover a wide range of different considerations and each incident may have a range of characteristics, some of which may raise the categorisation of an incident and some of which may lower it. The same incident may have characteristics that do both, potentially cancelling each other out. For the purpose of the incident, sensitivity factors may be:
Low: Reduces the base categorisation
High: Increases the base categorisation.
Categorising personal data breaches
The incident category is determined by the context, scale and sensitivity. Every incident can be categorised as:
Level 0 or 1: Confirmed incident but no need to report to ICO and other regulators.
Level 2 or above: Confirmed incident that must be reported to ICO and other regulators.
To determine which category your incident falls under, first use Table 1 to identify the baseline category for the breach, based on the scale of the incident, then use Table 2 to determine the final category, based on the sensitivity of the incident.
Information about less than 10 individuals
Information about 11–50 individuals
Information about 51–100 individuals
Information about 101–300 individuals
Information about 301–500 individuals
Information about 501–1,000 individuals
Information about 1,001–5,000 individuals
Information about 5,001–10,000 individuals
Information about 10,001–100,000 individuals
Information about 100,001 + individuals
Table 1: Baseline category based on scale of incident
+1 for each characteristic
Sensitive categories of data (Appendix D)
Detailed information at risk, e.g. financial information
One or more previous incidents of a similar type in past 12 months
Failure to securely encrypt mobile technology or the other obvious security failing
Celebrity involved or other newsworthy aspects or media interest
A complaint has been made to the ICO
Individuals affected have been placed at risk of physical harm
Individuals affected may suffer significant detriment, e.g. financial loss
Individuals affected are likely to suffer significant distress or embarrassment
-1 for each characteristic
No data at risk
Limited demographic data at risk, e.g. address not included, name not included
Security controls/ difficulty to access data partially mitigates risk
Table 2 – Category changes based on sensitivity
Level of incident
1 or less
Level 1 incident (to be reported internally)
2 or more
Level 2 incident (to be reported to the ICO, and internally)
Table 3 – Incident reporting requirements
Notification of data breaches to the ICO
There are also prescribed requirements under the GDPR to satisfy when communicating a breach to the ICO. Guidance from the ICO regarding reporting of incidents is detailed in the list below and included in the Incident Report Form Template in Appendix B.
Information should include:
The NAC UK contact details, stating the NAC UK is the Data Controller in respect of the data breach
the Data Controller registration number, although under the GDPR this will no longer be a mandatory requirement
contact details of person in charge of the incident: name, job title, email address, contact telephone number and postal address
the reason(s) for any delay(s) in notifying, if applicable
measures the organisation have in place to prevent an incident of this nature occurring
extracts of relevant policies and procedures
what personal data has been placed at risk
number of individuals affected and approximate number of data records concerned
whether the affected individuals have been made aware of this breach
the potential adverse effects on those individuals
any palliative measures taken
whether the data placed at risk has been recovered
evidence of existing staff training, including relevant excerpts, and whether it is mandatory
any previous incidents that had been reported to the ICO, providing a succinct summary.
This information is to be sent to firstname.lastname@example.org, with ‘DPA breach notification form’ in the subject field, or by post to: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
The ICO will issue an initial response within seven calendar days and provide a case reference number and information about their next steps.
Furthermore, he NAC UK has a duty to inform Data Subjects whether there is potential for identity theft which can be avoided or minimised if the Data Subject is notified of the incident, without undue delay.
Failing to comply with the notification requirement under the GDPR means the NAC UK will potentially attract GDPR fines, such as €10 million, or 2% of the Organisation’s annual global turnover, whichever is higher.
An individual must be assigned to manage the incident, and will be responsible for communicating and coordinating activities, as well as maintaining an audit trail of events and evidence. An investigation needs to be conducted to determine the causes of the breach, the scope, and possible remediation, along with expected outcomes and the identification of stakeholders. Evidence is to be preserved in order of volatility.
Following the investigation, mitigation and preventative measures must be documented and put in place, and a final incident report produced for the NAC UK trustees.
Personal data breach register
Under the GDPR, both Data Controllers and Data Processors are required to record any personal data breaches and any actions taken in respect of that. An Internal Breach Register will be maintained, documenting each incident ‘comprising the facts relating to the personal data breach, its effects and the remedial action taken’.
The ICO has the authority to assess how the NAC UK complies with its data breach notification obligations.
Appendix A – Incident management flow diagram
Appendix B – ICO incident report template
ICO INCIDENT REPORT FORM
The NAC UK
Name of person reporting incident
Description of incident
Reason for delaying notification, if applicable
Number of people affected
Volume of data affected
Measures the NAC UK has in place to deal with such incidents
Potential adverse effects on individuals affected
Mitigating measures taken
Have the data been recovered?
Has the NAC UK reported data breaches to the ICO in the past? If yes, provide details.
Appendix C – Template to log and report incidents internally
INTERNAL INCIDENT REPORT FORM
Name of person reporting incident
Description of incident
Level of incident
Number of people affected
Volume of data affected
Data format (paper/electronic)
If electronic, are records encrypted?
Is the incident in the public domain?
Is the media aware of the incident?
Immediate action taken
Remedial action taken
For the NAC UK use
Incident reference number
Forwarded for action to
Remedial action taken
Appendix D – Special categories of data
Racial or ethnic origin of the data subject
Religious beliefs or other beliefs of a similar nature
Trade union membership
Physical or mental health condition
The commission or alleged commission by the individual of any offence
Any proceedings for any offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in such proceedings
Biometric or genetic data