If you know or are unsure if a data breach has occurred, you must inform dataprotectionofficer@north-ayrshire.gov.uk immediately.
Why? As an organisation, the Data Protection Officer (DPO) only has 72 hours from the organisation being aware of the incident, to assess if the incident is reportable to the Information Commissioner’s Officer (ICO – the data protection governing body).
What if you are unsure if it is a breach or not? The DPO can still report advising we are unsure if it meets the criteria of a breach until we do further investigation. A follow up report can then be submitted with the final outcome.
Why report if we are unsure, why not wait until we know? To ensure that we comply with the UK Data Protection Regulation (UK GDPR) we have a legislative obligation for the DPO to assess and report within 72 hours. If we report too late, this can result in action being taken against the Council by the ICO.
How to report a breach/incident
You should use the online data breach reporting form on Connects. Where there is a significant breach, an email should be sent to the dataprotectionofficer@north-ayrshire.gov.uk shared mailbox to highlight the significance. If you require any further assistance, please do not hesitate to contact the team on the same email address.
The Corporate Information Governance team are responsible for overseeing the council’s compliance with access to information legislation including:
- Data Protection
- Freedom of Information
- Environmental Information
- Corporate Complaints
- Records Management
Ensuring that all staff are aware of their responsibilities to follow good information governance practice is our job, but ultimately it takes all of us to make sure that the council is compliant with legislation.
Please the round-up of important Information Governance updates below:
Data Breaches
- The number of data breaches reported to the Data Protection Officer remains high
- The main reason for data breaches continues to be human error as a result of sending emails/letters to an incorrect recipient
- This can be avoided by following the STOP, THINK, CHECK then SEND approach to ensure all recipients have been populated correctly prior to sending
- Always check the data you are using is up to date and accurate
Freedom of Information and Subject Access Requests
- It is important that staff are aware of requests and the difference between an FOI (information made available to public by an organisation on request) and a SAR (personal information held by an organisation requested by individuals or certain representatives of individuals)
- Subject Access Requests (SAR) must be responded to within one month of receipt
- Freedom of Information Requests have a 20-working day timescale under the legislation.
- Requests must be logged as soon as possible to ensure adequate time for identification and collation of information is given
- For more further assistance on handling requests for information, please contact: freedomofinformation@north-ayrshire.gov.uk
Appropriate Use of One Drive
OneDrive is best known corporately as the file storage application that replaced H drives across the council. Not only to maintain good information governance practice, but also to ensure compliance with both data protection and records management legislation, we all must routinely check our drives to:
- Ensure that OneDrive is not being used for operational file storage – this must be undertaken in SharePoint/shared drives
- Delete files that have been superseded or are no longer required/have exceeded retention
- Ensure live file links are still required/users you are sharing with still have a requirement for access
Failure to adhere to the above requirements could result in a breach of data protection/records management policy.
For further information or queries, please contact Lauren Lewis, Data Protection Officer at: dataprotectionofficer@north-ayrshire.gov.uk