| 01530 566750 | 0203 978 2905

GDPR - Data Breach Policy

1.0 Introduction

1.1 Primary PPA Cover Limited holds, processes, and shares a large amount of personal data, a valuable asset that needs to be suitably protected.

1.2 Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security.

1.3 Compromise of information, confidentiality, integrity, or availability may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative noncompliance, and/or financial costs.

2.0 Purpose

2.1 Primary PPA Cover Limited is obliged under the General Data Protection Regulation to have in place an institutional framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility.

2.2 This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across the company.

3.0 Scope

3.1 This Policy relates to all personal and sensitive data held by the company regardless of format.

3.2 This Policy applies to all staff within our organisation. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of the company.

3.3 The objective of this Policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.

4.0 Definition / Types of Breach

4.1 For the purpose of this Policy, data security breaches include both confirmed and suspected incidents.

4.2 An incident in the context of this Policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to the organisation’s information assets and/or reputation.

4.3 An incident includes but is not restricted to, the following:

  • Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record)
  • Equipment theft or failure
  • Unauthorised use of, access to or modification of data or information systems
  • Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
  • Unauthorised disclosure of sensitive / confidential data
  • Website defacement
  • Hacking attack
  • Unforeseen circumstances such as a fire or flood
  • Human error
  • ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it

5.0 Reporting an incident

5.1 Any individual who accesses, uses or manages the company’s data information is responsible for reporting data breach and information security incidents immediately to the Data Protection Officer – Stacey Barsby

5.2 If the breach occurs or is discovered outside normal working hours, it must be reported at 8am the following day

5.3 The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved. An Incident Report Form should be completed as part of the reporting process. All staff should be aware that any breach of the Data Protection Act will result in the company’s Disciplinary Procedures being instigated.

6.0 Containment and Recovery

6.1 The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.

6.2 An initial assessment will be made by the DPO in liaison with relevant officers to establish the severity of the breach and who will take the lead investigating the breach (this will depend on the nature of the breach in some cases it could be the DPO).

6.3 The Lead Investigation Officer or Management Subordinate (LIO) will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.

6.4 The LIO will establish who may need to be notified as part of the initial containment and will inform the police, where appropriate.

6.5 Advice from experts across the company may be sought in resolving the incident promptly.

6.6 The LIO, in liaison with the relevant officer(s) will determine the suitable course of action to be taken to ensure a resolution to the incident.

7.0 Investigation and Risk Assessment

7.1 An investigation will be undertaken by the LIO immediately and wherever possible within 24 hours of the breach being discovered / reported.

7.2 The LIO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.

7.3 The investigation will need to take into account the following:

  • the type of data involved
  • its sensitivity
  • the protections are in place (e.g. encryptions)
  • what’s happened to the data, has it been lost or stolen
  • whether the data could be put to any illegal or inappropriate use
  • who the individuals are, number of individuals involved and the potential effects on those data subject(s)
  • whether there are wider consequences to the breach

8.0 Notification

8.1 The LIO and / or the DPO, in consultation with the Director of IT and the Director of Governance and Registry Services, will determine who needs to be notified of the breach.

8.2 Every incident will be assessed on a case by case basis; however, the following will need to be considered:

  • Whether there are any legal/contractual notification requirements;
  • Whether notification would assist the individual affected – could they act on the information to mitigate risks?
  • Whether notification would help prevent the unauthorised or unlawful use of personal data? • Would notification help the company meet its obligations under the seventh data protection principle;
  • If a large number of people are affected, or there are very serious consequences, whether the Information Commissioner’s Office (ICO) should be notified. The ICO will only be notified if personal data is involved. Guidance on when and how to notify ICO is available from their website at: https://ico.org.uk/media/1536/breach_reporting.pdf

The dangers of over notifying.
Not every incident warrants notification and over notification may cause disproportionate enquiries and work.

8.3 Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact the DPO for further information or to ask questions on what has occurred.

8.4 The LIO and or the DPO must consider notifying third parties such as the police, insurers, bank or credit card companies, and trade unions. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.

8.5 The LIO and or the DPO will consider whether the Communications Team should be informed regarding a press release and to be ready to handle any incoming press enquiries.

8.6 All actions will be recorded by the DPO.

9.0 Evaluation and response

9.1 Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.

9.2 Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.

9.3 The review will consider:

  • Where and how personal data is held and where and how it is stored
  • Where the biggest risks lie, and will identify any further potential weak points within its existing measures
  • Whether methods of transmission are secure; sharing minimum amount of data necessary
  • Identifying weak points within existing security measures
  • Staff awareness
  • Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security

9.4 If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by a Company Director or Operations Manager.

Monday, July 06, 2020

2020 has seen unprecedented times that we, as a company, never thought we would find ourselves in. We would like to express our gratitude to our:

  • Amazing clients

Working in the public sector can be very challenging at times and we understand that for schools, it is difficult to appreciate the way that our business works. Thanks to the support of our schools and the Coronavirus Job Retention Scheme, we managed to waive over £300,000 of invoices to schools. This left us in a very difficult situation as we still have our HQ premises mortgage, bills to cover and suppliers that unfortunately have had to charge us regardless of the situation. We have lost approximately 10 schools for 2020-2021 due to COVID-19 and the budget cuts their schools have faced. We are very hopeful that these schools will return to us once they are open in September and have received funding support from the government.

  • Wonderful staff

Given one days notice that all schools in the UK would close, our staff had to frantically cancel over 90 PPA sessions daily, indefinitely. Throughout the peak of the crisis, we have had to work night and day to ensure the decisions we were making were going to have a minimal impact on our regular services once schools resumed. Our staff have taken the time to organise their work, to write new lesson plans for children and new schemes of work and we couldn’t be more grateful of their support. This truly shows their passion for the education sector and above all their love for children and learning!

  • Suppliers

To those suppliers who have been flexible with us during these unprecedented times, we thank you from the bottom of our hearts. Tsunami Computers Leicester, Lex AutoLease, WaterPlus and many more have allowed us to pause or reduce our monthly payments whilst we have received no income. This has made the difference between us surviving and not surviving the crisis. 

Going forwards, we will be rebuilding our business back up to where we were and support from schools in outsourcing their PPA to us to help us rebuild is greatly appreciated. We understand PPA time is a legal requirement for all teachers and the majority of the subjects that we cover are compulsory so if you are struggling to cover PPA time, would like to explore a new method of covering a compulsory subject such as MFL or ICT, please allow us to provide your school with a FREE trial and show you why you should choose us and support our small business.

We would like to send our well wishes to all small businesses both who have survived the crisis and who unfortunately have closed their doors. If you have managed to survive like us, please dig deep and find that energy to push forwards once more to rebuild your business rather than give up. The UK needs small businesses and even more so now with unemployment on the rise. It will be worth it, we promise!