(1) Under the Data Protection Acts (Data Protection Act, 1998;Data Protection Act 2018) and the General Data Protection Regulation (GDPR), Hibernia College is obliged to keep personal data safe and secure and to respond promptly and appropriately in the event of a personal data security breach. This procedure lays out the steps to be followed by the College in the event that a personal data security breach or suspected personal data security breach occurs. (2) Students have a responsibility to report any breach or suspected breach of personal data to the Records and Data Manager as soon as they become aware of such a breach. (3) The Records and Data Manager is responsible for fulfilling the role of Data Protection Officer in the management of this procedure. (4) All Staff, Faculty and Adjunct Faculty are responsible for engaging with, and adhering to, this procedure as required. (5) All Staff, Faculty and Adjunct Faculty are responsible for reporting any breach or suspected breach of personal data to the Records and Data Manager without delay. (6) A personal data security breach is any incident which gives rise to an unauthorised disclosure, loss, destruction or alternation of personal data held by the College in any format. This includes any breaches which result from malicious conduct, lack of appropriate security controls, system or human failure or error. Personal data security breaches can happen for a number of reasons, including: (7) Any individual who suspects that a personal data security breach has occurred, whether they have caused, been subject to or identified a breach of personal data, are required to: (8) Immediately upon becoming aware of the breach, notify the Records and Data Manager at dpo@hiberniacollege.net, who will advise them on any required steps that need to be taken (9) Notify their line manager (where applicable) without delay (10) Complete the Personal Data Security Breach Report Form, available under the resources section of the Hibernia College Quality Framework, and forward to the Records and Data Manager as soon as possible (11) The Records and Data Manager conducts an initial assessment as a matter of priority within 24 hours upon receipt of a notification, which will include a review of: (12) Where the outcome of an initial assessment confirms that a personal data breach has not occurred, the process concludes, and the Records and Data Manager notifies the reporter that no data breach has occurred. (13) Where the outcome of an initial assessment confirms that a personal data security breach has occurred, the Records and Data Manager will immediately proceed to coordinate the College response, as follows. (14) In the event of a confirmed personal data security breach, immediate and appropriate steps must be taken to limit the extent of the breach. The Records and Data Manager, in consultation with any relevant College Staff, will: (15) As is set out above, where a personal data security breach is confirmed, the Records and Data Manager in conjunction with relevant College Staff, will conduct a risk assessment to assess the potential adverse consequences for the affected data subjects. The assessment will consider the likelihood of the risks taking place and the severity of such risks and will consider the following criteria: (16) Where the personal data security breach is likely to result in a high risk to the rights and freedoms of the data subject, the College will inform the affected data subjects, without undue delay. (17) Where it is necessary to notify the data subject, the Records and Data Manager will communicate the details of the data breach to the data subject(s) to include the: (18) Where the College has determined that the personal data security breach is likely to result in a risk to the rights and freedoms of data subjects, the Records and Data Manager will notify the Data Protection Commission without undue delay, and no later than 72 hours, after becoming aware of the breach. If, for any reason, the breach cannot be notified to the Data Protection Commission within 72 hours, the notification will be accompanied by reasons for the delay. (19) The notification will include the nature of the personal data security breach, including the: (20) The Records and Data Manager retains all records of the incident. (21) The Records and Data Manager, in consultation with all relevant stakeholders, will conduct a review of the incident to: (22) The review report is issued to all relevant departments. (23) A post-incident review will be conducted to ensure that the steps taken during the incident were appropriate and effective and to identify any areas which may need to be improved in future to avoid any recurrence.Personal Data Security Breach Management Procedure
Section 1 - Introduction
Purpose and Parent Policy
The Personal Data and Records Policy is the parent policy. Responsibilities
Student Responsibilities
Staff, Faculty and Adjunct Faculty Responsibilities
Section 2 - Procedure for Managing Personal Data Security Breaches
Part A - What is a data breach?
Part B - Identification and Initial Assessment of a Suspected Breach of Personal Data
Identification and Notification of Suspected Personal Data Security Breach
Initial Assessment
Outcome of Initial Assessment
Part C - Managing a Confirmed Personal Data Security Breach
Containment and Recovery
Risk Assessment
Notification of the Data Subject
Notification of the Data Protection Commissioner
Evaluation and Response
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.