Scribd
Upload
23 views3 pages

Data Breach Report 2024 Appendix

The report provides an update on 13 data breach incidents from August 1, 2022, to December 5, 2023, all of which were reported to the DPO within 72 hours and none required notification to the ICO. The breaches were primarily due to human error, with corrective actions including revised processes and training implemented to prevent future occurrences. The report outlines the response protocol for potential data breaches, emphasizing the importance of timely notification and assessment.

Uploaded by

stevenquach.ict
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views3 pages

Data Breach Report 2024 Appendix

The report provides an update on 13 data breach incidents from August 1, 2022, to December 5, 2023, all of which were reported to the DPO within 72 hours and none required notification to the ICO. The breaches were primarily due to human error, with corrective actions including revised processes and training implemented to prevent future occurrences. The report outlines the response protocol for potential data breaches, emphasizing the importance of timely notification and assessment.

Uploaded by

stevenquach.ict
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Data Security Breach Report – Appendix A

This report has been prepared to provide an initial update on data breach incidents from August 1st 2022 to December 5th 2023.

Clear guidance is provided to staff, via training and policies, regarding what constitutes a potential data breach and the steps they should take when a
potential data breach is identified. The council’s response to potential data breaches is managed by the DPO following the stages below:

 Notification to the DPO


 Initial assessment by the DPO and Section Head
 Escalation to the SIRO (Chief Internal Auditor) if necessary; this may lead to the Information Commissioner (ICO) being notified, dependant on the
severity of the incident.
 Remedial Action, for example corrective action, training, revised processes, and potentially disciplinary action.

Overall, there have been 13 data breaches, 13 being notified to the DPO within 72 Hours of which 0 required notification to the ICO.

A summary breakdown follows:

Reference Section Response Reported Root Cause Medium Data Action Comments, including detail
Number in 72 to ICO Subjects where a breach spans multiple
Hours mediums
20221000 Ctax Yes No Human Error Letter 1 Revised Process Wrong letter inserted in
envelope.
20221001 Housing Yes No Human Error Email 1 Revised Process Wrong attachment sent via
email.
20221002 Housing Yes No Human Error Letter 1 Corrective Wrong attachment inserted in
Action envelope
20221200 Housing Yes No Human Error Email 256 Agency Disgruntled Agency worker
contacted emailed all GBC staff their
grievances

20230200 Housing Yes No Inappropriate Image 1 Disciplinary Agency staff copied and used
Action by Staff staff email addresses from none-
GBC email account
20230300 Reception Yes No Human Error Email 1 Revised Process Email address copied incorrectly
so invoice went to wrong email
address.
20230301 Housing Yes No Human Error Letter 1 Revised Process
Email sent with wrong
attachment
20230500 Reception Yes No Human Error Email 1 Revised Process Email address copied incorrectly
so invoice went to wrong email
address.
20230700 Planning Yes No Human Error Email 1 Revised Process D16 response sent to wrong
email address
20230800 Ctax Yes No Human Error Email 1 Revised Process Pre-populated form sent instead
of blank form
20230801 Housing/Ctax Yes No Human Error Letter 1 Revised Process Additional doc printed on
reverse of letter -
20231100 Housing Yes No Human Error Electronic/paper 5 Training Left briefcase at court
20231101 IT Yes No Human Error Electronic <452150 Revised Incorrect data extract selected
Process/Training for processing.

Glossary
Information Commissioner’s Office (ICO)
The Information Commissioner's Office is a non-departmental public body which reports directly to the United Kingdom Parliament and is sponsored by the Department for Digital, Culture,
Media and Sport. Its role is to uphold information rights in the public interest.
https://ico.org.uk/

Response time/Notifying the ICO of Data Breaches.


The ICO needs to be notified of more serious data breaches. A self-assessment is available on the ICO’s website, to identify if it needs to be notified of a data breach. This needs to be done
within 72 hours, which is the key response metric monitored by the internal team.
https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/

Medium
This is the format of the information constituting the data breach, more detail is provided in the comments column of the data breaches detail page within this report.
e.g. Electronic, Email, Laptop, Letter, Mobile, Paper, Verbal

Number Impacted
This is the number of individuals whose personal information was potentially compromised through a data breach.

Root Cause
The categories of root cause are based on guidance for the NHS Security Toolkit; this is widely used across the public sector, to assess arrangements against good practice.
e.g. Cyber, Human Error, Inappropriate Action by Staff, Criminal Action, System Error

Action Taken
These are the primary actions taken to respond to/rectify a data breach; e.g. Corrective Action, Disciplinary, Police Notified, Revised Process, Training.

You might also like