This Procedure sets out the processes to be followed by SHERPA staff in the event that SHERPA experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.
This document sets out the processes to be followed by SHERPA staff in the event that SHERPA experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.
Accordingly, SHERPA needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm and whether it constitutes an NDB.
Adherence to this Procedure and Response Plan will ensure that SHERPA can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.
3. Process where a breach occurs or is suspected
A privacy or data breach is detected via the SHERPA configuration of Cloudflare, Wordfence and the server Firewall. Where a privacy data breach is known to have occurred (or is suspected) any member of SHERPA staff who becomes aware of this must, within 24 hours, alert a Senior Investigator and Managing Director their contact details are below.
It is also important to note that SHERPA staff members are responsible for the care of their personal devices when accessing the SHERPA website. This includes maintaining an up to date antivirus and malware scanning package. Should you require assistance with doing this, please contact a member of the team below.
Paul Keene (Webmaster) – paul.keene@SHERPA-rri.org
Bernd Stahl (Senior Investigator) – firstname.lastname@example.org
Martin DeHeaver (CEO) – martin.deheaver@SHERPA-rri.org
The Information that should be provided (if known) at this point includes:
- When the breach occurred (time and date)
- Description of the breach (type of personal information involved)
- Cause of the breach (if known) otherwise how it was discovered
- Which system(s) if any are affected?
- Whether corrective action has occurred to remedy or ameliorate the breach (or suspected breach)
3.2 Assess and determine the potential impact
Once notified of the information above, the informed parties must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The Privacy Coordinator should be contacted for advice.
3.2.1 Criteria for determining whether a privacy data breach has occurred
- Is personal information involved?
- Is the personal information of a sensitive nature?
- Has there been unauthorised access to personal information, or unauthorised disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur?
3.2.2 Criteria for determining severity
- The type and extent of personal information involved
- Whether multiple individuals have been affected
- Whether the information is protected by any security measures (password protection or encryption)
- The person or kinds of people who now have access
- Whether there is (or could there be) a real risk of serious harm to the affected individuals
- Whether there could be media or stakeholder attention as a result of the breach or suspect breach
With respect to 3.2.2(e) above, serious harm could include physical, physiological, emotional, economic/financial or harm to reputation.
Having considered the matters in 3.2.1 and 3.2.2, the Web Developer must notify the SHERPA Team within 24 hours of being alerted under 3.1.
3.3 Web Developer to issue pre-emptive instructions
On receipt of the communication by the relevant member of the team under 3.2, the Web Developer (along with guidance from the hosting company) will take a preliminary view as to whether the breach (or suspected breach) may constitute an NDB. Accordingly, the Web Developer will issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Hosting company. This will depend on the nature and severity of the breach.
3.3.1 Data breach managed at the organisational level
Where the Web Developer instructs that the data breach is to be managed at the local level, the relevant member of staff must:
- ensure that immediate corrective action is taken, if this has not already occurred (corrective action may include: retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system); and
- submit a report to the Managing Director within 48 hours of receiving instructions under 3.3. The report must contain the following:
- Description of breach or suspected breach
- Action taken
- Outcome of action
- Processes that have been implemented to prevent a repeat of the situation.
- Recommendation that no further action is necessary
The Web Developer will be provided with a copy of the report and will sign-off that no further action is required.
The report will be logged by the Web Developer.
3.3.2 Data breach managed by the Hosting Company
Where the Web Developer instructs that the data breach must be escalated to the Hosting Company, the Web Developer will remain in constant contact with the Hosts and will provide a full report to the managing director of SHERPA.
If there are reasonable grounds, the Web Developer must prepare a prescribed statement and provide a copy to the Managing Director as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach).
If practicable, SHERPA must also notify each individual to whom the relevant personal information relates. Where impracticable, SHERPA must take reasonable steps to publicise the statement (including publishing on the website).
3.6 Secondary Role of the Response Team
- Identify lessons learnt and remedial action that can be taken to reduce the likelihood of recurrence – this may involve a review of policies, processes, refresher training.
- Prepare a summary
- Consider the option of an audit to ensure necessary outcomes are effected and effective.
4. Updates to this Procedure
This procedure is scheduled for review every year or more frequently if appropriate