ST MARY’S CHURCH LYMM
BREACH NOTIFICATION POLICY
The GDPR introduces a duty on all organisations including churches to report certain types of personal data breach to the relevant supervisory authority.
A data breach occurs whenever the security of personal data is compromised. This could be as simple as sending an email to the wrong person, leaving a folder containing paper financial records on the bus/train or wiping a computer drive which contained important records.
It does not matter if the breach occurs by accident or as a result of deliberate actions.
The breach must be reported to the Data Controller within 72 hours of the breach. If it is a significant breach, the Data Controller will inform the ICO and must keep a record of the breach as well.
We do not necessarily need to let the individuals know, however, we must do so if there is a high risk of an adverse effect against their rights and freedoms.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if data is made unavailable, for example, when it has been encrypted by ransomeware, or accidentally lost or destroyed.
What breaches to we need to notify the ICO about?
When a personal data breach has occurred, we need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then we must notify the ICO; if it’s unlikely then we don’t have to report it. However, if we decide we don’t need to report the breach, we need to justify the decision, so we need to document it.
Persons to contact:
In the first instance the breach must be reported to the Data Controller – Carol Roberts or PCC Secretary Derek Buckthorpe 01925 752810 email email@example.com who will inform the Data Controller
In the absence of the Data Controller, it is to the Rector – Rev’d Beverley Jameson, or Churchwardens