A data breach occurs when the data for which an organization is responsible for suffers a security incident resulting in a breach of confidentiality, availability or integrity.
Furthermore, a data breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve financial information such as credit card & debit card details, bank details, personal health information (PHI), Personally Identifiable Information (PII), trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data – files, documents, and sensitive information.
Additionally, Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal data transmitted, stored or otherwise processed.
If that occurs, and the breach is likely to pose a risk to an individual’s rights and freedoms, the organization has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach.
If the data breach poses a high risk to those individuals affected, then they should all also be informed, unless there are effective technical and organizational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialize.
Personal data breaches can include:
Since Futureview collects, processes, holds and shares personal data adequate care is taken to protect personal data from incidents which can be accidental or deliberate to obviate data protection breach that could jeopardize security thereby resulting to reputational damage, epileptic service and financial loss.
Purpose & Scope:
The main objective of this policy is to avoid breaches, but where it occur to minimize the risk, decipher measures to adopt to protect personal data and avoid more breaches.
To this end, Futureview will:
Type of Breaches:
This can be controlled by adopting the following measures:
Before emailing any external parties; Futureview will:
Where email needs to be sent to an unsecure recipient:
Measures Futureview put in place:
It is also noteworthy that data security breaches include both confirmed and suspected incidents.
An incident is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to Futureview information assets and /or reputation.
An incident includes, but is not limited to:
Where a data breach occurs it must be reported immediately to Data Protection Officer (DPO) through this email address: email@example.com. giving full details such as:
The DPO will assess the extent of breach in conjunction with Head ICT, and Head Internal Control Department to ascertain the severity and commence investigation immediately and where possible within 24 hours of the breach being reported.
Investigation will cover areas like:
The DPO and team based on the outcome of the investigation, will decide if relevant authorities will be notified of the breach. If on the affirmative, will notify NITDA not later than 72 hours of occurrence.
Where the breach is likely to result in a high risk to the rights and freedoms of individuals under Data Protection Legislation, data subjects should be notified without undue delay. Notification will capture areas like:
The DPO, having satisfactorily contained the incident, will review, among other things:
The policy will be updated to mirror best practice, thereby ensuring compliance with changes or amendments to applicable legislation and will be reviewed annually.