1. Introduction
This Policy sets out the obligations of Feet & Co Podiatry Ltd, a company
registered in Scotland under Number SC726888, whose registered office is at 3
Engine Road, Loanhead EH20 9RF (“the Company”) regarding the handling
and reporting of data breaches and personal data breaches in accordance with
the UK Data Protection Legislation. “Data Protection Legislation”, in this Policy,
means all legislation and regulations in force from time to time regulating the
use of personal data including, but not limited to, the retained EU law version of
the General Data Protection Regulation ((EU) 2016/679) (THE “UK GDPR”), as
it forms part of the law of England and Wales, Scotland, and Northern Ireland
by virtue of section 3 of the European Union (withdrawal) Act 2018, the Data
Protection Act 2018, and any successor legislation.
The UK GDPR defines “personal data” as any information relating to an
identified or identifiable natural person (a “data subject”); an identifiable natural
person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location
data, an online identifier, or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural, or social identity of that
natural person.
The UK GDPR defines a “personal data breach” as a breach of security leading
to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored, or otherwise
processed.
The Company is under a duty to report certain types of personal data breach
directly to the Information Commissioner’s Office (“ICO”). The Company is also
required to inform individual data subjects in the case of breaches that present
a high risk of adversely affecting their rights and freedoms.
All personal data collected, held and processed by the Company will be
handled in accordance with the Company’s Data Protection Policy.
The Company has in place procedures for the detection, investigation, and
reporting of data breaches. This Policy applies to all data breaches (including
Data Protection Policy - Feet & Co Podiatry Ltd - 2022
1
personal data breaches) within the Company and is designed to assist in both
the handling of such breaches and in determining whether or not they must be
reported to the ICO and/or to data subjects.
The Company’s Data Protection Officer, Lynsey Watson, Director, is
responsible for the implementation of this Policy, for overseeing the handling of
all data breaches, and for ensuring that this Policy is adhered to by all staff.
2. Scope of Policy
2.1 This Policy relates to all formats of data (including personal data and
sensitive personal data (known as “special category” under the Data Protection
Legislation) collected, held and processed by the Company.
2.2 This Policy applies to all staff of the Company, including but not limited
to employees, agents, contractors, consultants, temporary staff, casual or
agency staff, or other suppliers or data processors working for or on behalf of
the Company.
2.3 This Policy applies to all data breaches, whether suspected or
confirmed.
3. Data Breaches
3.1 For the purposes of this Policy, a data breach means any event or
action (accidental or deliberate) which presents a threat to the security,
integrity, confidentiality, or availability of data.
3.2 Incidents to which this Policy applies may include, but not limited to:
a) the loss or theft of a physical data record;
b) the loss or theft of computer equipment (e.g. laptop), mobile devices
(e.g. smartphone or tablet), portable data storage devices (e.g. USB
drive), or other data storage devices;
c) equipment failure;
d) unauthorised access to, use of, or modification of data (or inadequate
access controls allowing unauthorised access, use, or modification);
e) unauthorised disclosure of data;
f) human error (e.g. sending data to the wrong recipient);
g) unforeseen circumstances such as fire or flood;
h) hacking, phishing, and other offences whereby information is obtained
by deception;
Data Protection Policy - Feet & Co Podiatry Ltd - 2022
2
4. Internal Reporting
4.1 If a data breach is discovered or suspected, members of staff should
complete a Data Breach Report Form (available from the Company Shared
Admin Drive Folder ‘GDPR & Data Privacy’) and send the completed form to
the Data Protection Officer.
4.2 A completed Data Breach Report Form should include full and accurate
details about the incident including, but not limited to (where applicable):
a) the time and date of the breach;
b) the time and date the breach was discovered;
c) whether the data relates to the Company or one of its clients;
d) the type(s) of data involved;
e) where the breach involves personal data, the categories(s) of data
subject to which the personal data relates (e.g. customers, employees
etc.);
f) whether or not any sensitive personal data is involved;
g) how many data subjects are likely to be affected (if known);
4.3 Where appropriate, members of staff should liaise with the Data
Protection Officer when completing a Data Breach Report Form.
4.4 If a data breach occurs or is discovered outside of normal working soon
as is reasonably practicable.
4.5 Unless and until instructed to by the Company’s Data Protection Officer
or Director, members of staff should not take any further action with respect to
a data breach. In particular, individual members of staff should not take it upon
themselves to notify affected data subjects, the ICO, or any other individuals or
organisations.
5. Initial Management and Recording
5.1 Upon receipt of a Data Breach Report Form (or upon being notified of a
data breach in any other way), the Company’s Data Protection Officer shall
begin by determining whether the data breach is still occurring. If this is the
case, appropriate steps shall be taken immediately to minimise the effects of
the data breach and to stop it.
5.2 Having established the above, the following steps shall then be taken
with respect to the data breach:
3
a) undertake an initial assessment of the data breach, liaising with the
relevant staff and clients where appropriate, to establish the severity of
the data breach;
b) contain the data breach, or restrict the availability of (e.g. by changing
or revoking access permissions or by temporarily making the data
unavailable electronically) the affected data;
c) determine whether anything further can be done to recover the data
and/or other losses, and to limit the damage caused by the breach;
d) establish who needs to be notified initially (including, if physical records
or equipment have been lost or stolen, the police) as part of the initial
containment;
e) determine, in liaison with the relevant staff and clients, the best course
of action to resolve and remedy the data breach; and
f) record the breach and the initial steps taken above in the Company’s
Data Breach Register.
5.3 Having completed the initial steps described above, the Company’s
Data Protection Officer shall proceed with investigating and assessing the data
breach as described in Part 6, below.
6. Investigation and Assessment
6.1 The Company’s Data Protection Officer shall begin an investigation of a
data breach as soon as is reasonably possible after receiving a Data Breach
Report Form (or being notified in any other way) and, in any event, within 24
hours of the data breach being discovered and/or reported.
6.2 Investigations and assessments must take the following into account:
a) the type(s) of data involved (and, in particular, whether the data is
personal data or sensitive data);
b) the sensitivity of the data (both commercially and personally);
c) what the data breach involved;
d) what organisational and technical measures were in place to protect the
data;
e) what might be done with the data as a result of a breach (including
unlawful or otherwise inappropriate misuse);
f) where personal data is involved, what the personal data could tell a
third party about the data subjects to whom the data relates;
g) the category or categories of data subject to whom any personal data
relates;
h) the number of data subjects (or approximate number if calculating an
exact number is not reasonably practicable) likely to be affected by the
data breach;
Data Protection Policy - Feet & Co Podiatry Ltd - 2022
4
i) the potential effects effects on the data subjects involved;
j) the potential consequences for the Company;
k) the broader consequences of the data breach, both for data subjects
and for the Company;
6.3 The results of the investigation and assessment described above must
be recorded in the Company’s Data Breach Register.
6.4 Having completed the investigation and assessment described above,
the Company Data Protection Officer shall determine the parties to be notified
of the breach as described in Part 7, below.
7. Notification
7.1 The Company’s Data Protection Officer shall determine whether to
notify one or more of the following parties of the breach:
a) affected data subjects;
b) the ICO;
c) the police
d) the Company’s insurers;
e) affected commercial partners and clients;
7.2 When considering whether (and how) to notify individual data subjects
in the
event of a personal data breach, the following should be considered:
a) the likelihood that data subjects’ rights and freedoms as set out in the
Data Protection Legislation (and the Company’s Data Protection Policy)
will be adversely affected;
b) whether there is a legal or contractual requirement to notify;
c) whether measures in place to protect the affected personal data (e.g.
pseudonymisation or encryption) have been applied, thereby rendering
the data unusable to and unauthorised parties;
d) whether measures have been taken following the data breach that will
ensure that a high risk to the rights and freedoms of affected data
subjects is no longer likely to occur;
e) the benefits to data subjects’ of being notified (e.g. giving them the
opportunity to mitigate the risks posed by the data breach);
f) whether notifying individuals will involve disproportionate effort (in which
case a public communication or other widely available notice may
suffice, provided that affected data subjects will still be informed
effectively);
5
g) the best way of notifying data subjects, taking into account the urgency
of the situation and the security of the possible methods;
h) any special considerations applicable to certain categories of data
subject (e.g. children or vulnerable people);
i) the information that should be provided to affected data subjects;
j) how to make it easy for affected data subjects to contact the Company
to find out more about the data breach;
k) further assistance that the company should provide to the affected data
subjects, where appropriate;
l) the risks of over-notifying - not all data breaches require notification and
excessive notification may result in disproportionate work and number
of enquiries from individuals;
7.3 When individual data subjects are to be informed of a data breach,
those individuals must be informed of the breach without undue delay.
Individuals shall be provided with the following information:
a) a user-friendly description of the data breach, including how and when it
occurred, the personal data involved, and the likely consequences;
b) clear and specific advice, where relevant, on the steps individuals can
take to protect themselves;
c) a description of the measures taken (or proposed to be taken) to
address the data breach including, where relevant, measures taken to
mitigate any possible adverse effects;
d) contact details for the Company’s Data Protection Officer from whom
affected individuals can obtain further information about the data
breach.
7.4 When considering whether (and how) to notify the ICO of a data breach,
the following should be considered:
a) the risk and potential harm to data subjects, their rights, and freedoms -
harm can can include (but is not limited to) financial harm, physical
harm, loss of control over personal data, discrimination, identity theft or
fraud, damage to reputation, and emotional distress;
b) the volume of personal data involved - the ICO should be notified if a
large volume of data is involved and there is a real risk of data subjects
suffering harm as a result, however it may also be appropriate to notify
the ICO if a smaller amount of high-risk data is involved;
c) the sensitivity of the daa involved - the more sensitive the personal data
is, the less the volume of it is relevant and if the data breach presents a
significant risk of data subjects suffering substantial detriment or
distress, the ICO should be notified.
6
7.5 If the ICO is to be notified of a data breach, this must be done within 72
hours of becoming aware of the breach, where feasible. This time limit applies
even if complete details of the data breach are not yet available. The ICO must
be provided with the following information:
a) the category or categories and the approximate number of data subject
whose personal data is affected by the data breach;
b) the category or categories and the approximate number of personal
data records involved;
c) the name and contact details of the Company Data Protection Officer
from which the ICO can obtain further information about the data
breach;
d) a description of the likely consequences of the data breach; and
e) a description of the measures taken (or proposed to be taken) to
address the data breach including, where relevant, measures taken to
mitigate any possible adverse effects.
7.6 The police may have been contacted at an earlier point in the data
breach procedure (see 5.2), however further investigation may reveal that the
data breach resulted from a criminal act, in which case the police should be
further informed.
7.7 Records must be kept of all data breaches, regardless of whether
notification is required. The decision-making process surrounding notification
should be documented and recorded in the Company’s Data Breach Register.
8. Evaluation and Response
8.1 When the steps set out above have been completed, the data breach
has been contained, and all necessary parties notified, the Company’s Data Protection
Officer shall conduct a complete review of the causes of the data breach, the
effectiveness of the measures taken in response, and whether any systems, policies,
or procedures can be changed to prevent data breaches from occurring in the future.
8.2 Such reviews shall, in particular, consider the following with respect to
data (and in particular, personal data) collected, held, and processed by the
Company:
a) where and how data is held and stored;
b) the current organisational and technical security measures in
place to protect data and the risks and possible weakness of
those measures;
7
c) the methods of data transmission for both physical and
electronic data and whether or not such methods are secure;
d) the level of data sharing that takes place and whether or not that
level is necessary;
e) whether any data protection impact assessments need to be
conducted or updated;
f) staff and client awareness and training concerning data
protection;
8.3 Where possible improvements and/or other changes are identified, the
Company’s Data Protection Office shall liaise with the relevant staff and
clients with respect to the implementation of such improvements and/or
changes.
9. Policy Review and Implementation
9.1 This Policy will be updated as necessary to reflect current best practice,
official
guidance, and in line with current legislation.
This Policy shall be deemed effective as of 29th September 2022. No
part of this Policy shall have retroactive effect and shall thus apply only
to matters occurring on or after this date.
This Policy has been approved and authorised by:
Name: Lynsey Watson
Position: Director
Date: 29th September 2022
Data Protection Policy - Feet & Co Podiatry Ltd - 2022