DPM Breaches Policy

In the event of a data breach – which we define as any circumstance when data has or might have been removed or copied and/or taken from outside of our control – the following will occur

• A breach log (“Breach Log”)will be set up to record breaches
• The first person to identify or suspect the breach will immediately inform the DPO (dpo@mrcollege.ac.uk)
• The DPO will or will arrange to investigate and will assess as soon as possible whether there is a breach and if so what has been removed or otherwise breached and whether it could be considered as a breach posing a risk of harm to the Data Subject
• Any breach involving losses of multiple sets of data will be considered as likely to pose a risk of harm
• If there is no risk of harm to the Data Subject the DPO will:
• Note the breach in the Breach Log
• Take steps to ensure that it cannot happen again including where necessary providing additional training
• If there is a risk of harm the DPO will:
• Will ensure to have robust breach detection, investigation and internal reporting procedures in place.
• Report to ICO and those affecting individuals within 72 hours using the template letter
• Advise the relevant data subjects using the template letter
• Note the breach in the Breach Log
• Takes steps as above to ensure it cannot happen again
• Take such other steps as are reasonably required
• Comply with any requirements of the ICO