DPM Breaches Policy


In the event of a data breach – which we define as any circumstance when data has or might have been removed or copied and/or taken from outside of our control – the following will occur

  • A breach log (“Breach Log”)will be set up to record breaches
  • The first person to identify or suspect the breach will immediately inform the DPO (dpo@mrcollege.ac.uk)
  • The DPO will or will arrange to investigate and will assess as soon as possible whether there is a breach and if so what has been removed or otherwise breached and whether it could be considered as a breach posing a risk of harm to the Data Subject
  • Any breach involving losses of multiple sets of data will be considered as likely to pose a risk of harm
  • If there is no risk of harm to the Data Subject the DPO will:
  • Note the breach in the Breach Log
  • Take steps to ensure that it cannot happen again including where necessary providing additional training
  • If there is a risk of harm the DPO will:
  • Will ensure to have robust breach detection, investigation and internal reporting procedures in place.
  • Report to ICO and those affecting individuals within 72 hours using the template letter
  • Advise the relevant data subjects using the template letter
  • Note the breach in the Breach Log
  • Takes steps as above to ensure it cannot happen again
  • Take such other steps as are reasonably required
  • Comply with any requirements of the ICO