Personal Data Breach Procedure

Contents

1. Introduction
2. Purpose of this Procedure
3. Scope
4. Steps to Follow
5. Initial Investigation
6. Notifying the ICO/relevant supervisory authority
7. Notifying Affected Data Subjects
8. Notifying the Controller
9. Recording the Data Breach
10. Implementation & Policy Management
Appendix 1 ‐ Risk Matrix

1. Introduction

1.1. This Personal Data Breach Procedure (this “procedure”) sets the procedure to be followed by all employees, workers and contractors (“personnel”, “you”, “your”) of Investors in People
Community Interest Company (“Investors in People”, “we”, “us”, “our”) in the event of a Personal Data breach.

1.2. This procedure has been prepared with due regard to the data protection laws applicable to Investors in People and our Personal Data processing activities. These data protection laws include the UK GDPR and/or the EU GDPR (whichever is applicable) and DPA 2018, (collectively referred to throughout this procedure as the “Data Protection Law”).

1.3. This policy should be read together with the following related documents:

Investors in People Data Protection Policy
Investors in People Data Breach Assessment Form
Investors in People Personal Data Breach Register

Please note, that the definitions for any undefined terms in this procedure can be found in clause 4.1 of Investors in People’s Data Protection Policy and are applicable to this procedure.

2. Purpose of this Procedure

2.1. When processing Personal Data, Investors in People may be required by Data Protection Law to notify other parties following a data breach affecting Personal Data. A Personal Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

2.2. When processing as a Data Controller, Data Protection Law requires that:

unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of Data Subjects affected in the UK and/or the EEA it must be reported to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it; and
any Personal Data breach likely to result in a high risk (that is, a higher risk than that described immediately above) to the rights and freedoms of Data Subjects affected in the UK and/or the EEA must be reported to the affected Data Subjects without undue delay except where specific conditions are met.

2.3. When processing as a Data Processor, the Data Protection Law requires Investors in People to notify the Data Controller without undue delay following a data breach affecting their Personal Data.

2.4. It is important to meet these obligations to ensure we comply with Data Protection Law and to ensure we respect the rights and freedoms of Data Subjects. The purpose of this procedure is to set out what is required of Investors in People following a data breach and the steps to be taken in such event.

2.5. This procedure applies to all Investors in People personnel. You must follow this procedure when responding to a Personal Data breach. Any failure to do so may result in disciplinary action.

3. Scope

3.1. This policy applies to all Personal Data processed by Investors in People, whether held in electronic form or in physical records, and regardless of the media on which that Personal Data is stored. It applies to Personal Data we process as a Data Controller and Personal Data we process as a Data Processor (on behalf of our customers).

3.2. Investorsin People isregistered as a Data Controller with the Information Commissioner’s Office (“ICO”) having registration number ZA286529.

4. Steps to Follow

4.1. In the event of a Personal Data breach, the following steps must be followed:

4.2. Always

No.

Step

Action

A potential Personal Data breach is identified.

All potential Personal Data breaches must be reported urgently to the Business Operations Manager at info@investorsinpeople.com. The report must set out all details relating to or known about the potential breach.

This report should clearly set out whether it is believed to be a potential breach including whether it is still under investigation or whether a definitive breach has taken place.

A potential breach should be referred to as an ‘incident’ as opposed to a ‘breach’ until it has been established that a breach has actually occurred.

Investigate whether a Personal Data breach has occurred.

Investors in People shall immediately undertake an initial investigation as set out at Section 5 to establish whether a breach has occurred.

4.3. Investors in People as a Processor

or in the timescale agreed with the relevant Data Controller as set out at Section 8 of this procedure.

Notify the Data Controller where Investors in People is a Data Processor.

If the investigation establishes a breach has occurred which affects Personal Data processed by Investors in People, the Data Controller (our customer) shall be notified without undue delay or in the timescale agreed with the relevant Data Controller as set out at Section 8 of this procedure

4.4. Investors in People as a Data Controller

4	Assess the risks to affected Data Subjects.	The initial investigation shall include an assessment of the risks to rights and freedoms of Data Subjects in accordance with Appendix 1 of this procedure.
5	Notify the ICO/relevant supervisory authority where required.	If it is determined that the breach is likely to result in a risk to Data Subjects, the ICO/relevant supervisory authority shall be notified without undue delay in the manner set out at Section 6 of this procedure.
6	Notify affected Data Subjects where required.	If it is determined that the breach is likely to result in a high risk to Data Subjects the affected Data Subjects shall be notified without undue delay as set out at Section 7 of this procedure.
7	Record the Personal Data breach and details of the actions taken.	A record of all Personal Data breaches must be kept, using the Investors in People Personal Data Breach Register to demonstrate accountability and compliance with Data Protection Law.

5. Initial Investigation

5.1. Upon first being informed of, or upon first identifying a potential Personal Data breach, Investors in People shall immediately undertake a short period of initial investigation. The
investigation shall be led by the Business Operations Manager or their designate, supported by such other persons as they shall deem necessary.

5.2. The Investors in People Data Protection Responsible (“DPR”) shall be kept informed as to the progress and findings of the investigation at all times and shall advise on the steps to be taken to ensure compliance with our legal obligations.

5.3. Investors in People as a Data Processor

5.3.1. Where the Personal Data breach affects data processed by Investors in People as a Data Processor, the initial investigation shall establish whether a breach affecting the Data Controller’s data has occurred. If this is confirmed, Investors in People shall notify the Data Controller as set out at Section 8.

5.4. Investors in People as a Data Controller

5.4.1. Where Investors in People is processing the affected Personal Data as a Data Controller, the investigation shall also determine whether the breach is:

unlikely to result in a risk to the rights and freedoms of Data Subjects
likely to result in a risk to the rights and freedoms of Data Subjects; or
likely to result in a high risk to the rights and freedoms of Data Subjects.

Risks should be assessed objectively, from the Data Subject’s perspective, using the risk matrix and guidance provided at Appendix 1.

5.4.2. The decisions reached in the initial investigation must be documented in the Breach Assessment Form and signed‐off by the DPR and Head of Finance and Business Services. The recommendation in the Breach Assessment Form should clearly set out one of the following conclusions:

the Personal Data breach does not require notification to the ICO because there are no risks to rights and freedoms of Data Subjects; or
the Personal Data breach requires notification to the ICO, because there are risks to rights and freedoms of Data Subjects; or
the Personal Data breach requires notification both to ICO and to the affected Data Subjects because the risks to rights and freedoms of Data Subjects are high (except where measures have subsequently been taken to mitigate the high risk to Data Subjects, in which case notification to Data Subjects is not required); or
where Investors in People is acting as a Data Processor, whether the breach requires notification to the Data Controller.

6. Notifying the ICO/relevant supervisory authority

6.1. Investors in People as a Controller

6.2. Unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of affected Data Subjects, Investors in People shall report the Personal Data breach to the ICO/relevant supervisory authority without undue delay, and where feasible not later than 72 hours after having become aware of the Personal Data breach. Such notification shall only be made by the DPR following consultation with the Head of Finance and Business Services.

6.3. Where a Personal Data breach notification to the ICO is not made within 72 hours, it shall be accompanied by the reasons for the delay.

6.4. At the time of notification, Investors in People shall provide the following information to the ICO:

a description of the nature of the breach;
the categories of Personal Data affected;
approximate number of Data Subjects affected;
approximate number of Personal Data records affected;
name and contact details of the Investors in People DPR;
details of the likely consequences of the breach;
any measures that have been or will be taken to address the breach, including mitigation; and
additional information relating to the data breach (additional information may be provided in phases after the 72 hour time limit provided reasons for the delay are provided).

7. Notifying Affected Data Subject

7.1. Investors in People as a Controller

7.2. Subsection A: Obligation to notify

7.2.1. Where the Personal Data breach is likely to result in a high risk to the rights and freedoms of affected Data Subjects, Investorsin People shall report the Personal Data breach to the affected Data Subjects without undue delay, except where Subsection B of this part applies. Such notification shall only be made by the DPR following consultation with the Head of Finance and Business Services.

7.2.2. The notification to the data subject shall describe in clear and plain language the nature of the breach and must include:

the name and contact details of the Investors in People DPR, or other point of contact from whom more information may be obtained;
a description of the likely consequences of the Personal Data breach; and
a description of the measures taken or proposed to be taken to address the Personal Data breach including, where appropriate, measures to mitigate its possible adverse effects.

7.2.3. The notification shall also offer advice to the Data Subjects regarding actions they may be able to take to reduce the risks associated with the Personal Data breach, where appropriate (e.g. advising that passwords should be reset where access credentials have been compromised).

7.2.4. The notification should be communicated to affected Data Subjects directly using a dedicated message, preferably email. Public communication may be used where communicating directly with every affected data subject would involve a disproportionate effort. Suitable public communications include prominent website banners or notifications and advertisements in print media.

The notification communication must be signed‐off by the DPR and the Head of Finance and Business Services before it is shared with Data Subjects.

7.3. Subsection B: When notification is not required

7.3.1. The obligation to notify Data Subjects affected by a Personal Data breach set out in Subsection A of this part shall not apply where:

Investors in People has implemented measures which render the affected Personal Data unintelligible to any person who is not authorised to access it (such as state‐of‐the‐art encryption); or
Investors in People has taken steps following the breach which ensure that the high risk to the rights and freedoms of Data Subjects referred to in Subsection A of this part is no longer likely to materialise (such as immediately identifying and taking action against an individual who has access Personal Data before they were able to do anything with it).

8. Notifying the Controller

8.1. Investors in People as a Data Processor

8.1.1. Where the initial investigation establishes that a data breach has occurred which affects Personal Data processed by Investors in People as a Data Processor, we shall notify the affected Data Controller of the breach without undue delay or within the timescale agreed with the Data Controller.

8.1.2. The notification to the Data Controller shall include but is not limited to:

information about the nature of the incident including the date on which it occurred
steps taken or proposed to mitigate the risks associated with the data breach
categories of affected Personal Data
volumes of affected Personal Data
the potential consequences of the data breach
contact details for Investors in People’s Data Protection Responsible
any other information the Data Controller requires, as set out in the data processing agreement.

9. Recording the Data Breach

9.1. All Personal Data breaches shall be recorded in the Investors in People Personal Data Breach Register, regardless of whether or not the breach needs to be notified to the ICO or to Data Subjects.

10. Implementation & Policy Management

10.1. This procedure shall be deemed effective as of 19.12.2022. No part of this procedure shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

10.2. This procedure will be reviewed annually and following any Personal Data breach by the DPR and the Director of Finance and Business Services.

Appendix 1 ‐ Risk Matrix

Risk Assessment

Risk exists where the Personal Data breach may lead to physical, material, or non‐material damage to the individuals whose data has been affected. Guidance can be sought from the DPR when assessing the risks associated with a Personal Data breach.

To assess whether a risk is a high risk, consideration must be given to the likelihood and severity of the possible harm caused by a breach. Where a high risk to Data Subjects is identified, Investors in People will notify the ICO and Data Subjects in accordance with Sections 6 and 7 of this procedure. Where a medium risk is identified, the DPR will consult with the Director of Finance and Business Services to determine next steps.

Factors to be considered when assessing the risk to Data Subjects shall include:
the type of breach;
the nature, sensitivity, and volume of Personal Data;
ease of identification of individuals;
severity of consequences for individuals;
any special characteristics of the individual;
the number of affected individuals.

A data breach involving ‘Sensitive Personal Data’ shall always be considered likely to result in a risk to Data Subjects and potentially a high risk, depending on the factors listed above.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
aka_debug	session	Vimeo sets this cookie which is essential for the website to play video functionality.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
player	1 year	Vimeo uses this cookie to save the user's preferences when playing embedded videos from Vimeo.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_1Q90G5K82K	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_63867030_6	1 minute	Set by Google to distinguish users.
_gat_UA-63867030-3	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjTLDTest	session	To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
cusid	30 minutes	ClickDimensions sets this cookie to establish and continue a user session with the site.
cuvid	2 years	This cookie, set by ClickDimensions, is written to the browser upon the first visit to the site from that web browser.
cuvon	30 minutes	ClickDimensions sets this cookie to store the last time a visitor viewed a page.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.

Cookie	Duration	Description
_hjSession_3155220	30 minutes	No description
_hjSessionUser_3155220	1 year	No description
kms_ctamuls	session	No description available.
ln_or	1 day	No description

Personal Data Breach Procedure

Investors in People

Search our website

Useful Info

Follow Us

Contact Us

START YOUR ACCREDITATION JOURNEY

BEFORE YOU GO...

Already accredited?