1.1 This method statement describes elements to consider and address in the event of data loss or an information security breach. It will assist the University in determining appropriate courses of action if a security breach involving personal or confidential data occurs and dealing with any security breach effectively. It forms part of the University’s Information Security and Data Protection policies.
1.2 Data loss and security breaches can happen for a number of reasons and occur in different contexts. They may encompass more than personally identifiable information (eg trade secrets or intellectual property, denial of service, technical malfunctions).
1.3 The University must take appropriate measures against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach management policy constitutes one of these measures and supports the University’s obligations under principle 5 (1) (f) of the UK GDPR.
1.4 Breaches of information security, duties of care, confidentiality and integrity (including inappropriate access to or loss of research data) constitute unacceptable research conduct, as governed by the University’s Policy on Research Integrity and its research and academic misconduct policies.
1.5 The method statement should be used alongside policy and guidelines issued by the University of York.
2.1 Breaches of information security must be reported as soon as discovered and notified in accordance with the reporting protocols and principles given in the University’s Incident Management Policy (see 4.1).
2.2 Breach management has four important strategic elements. When a security breach is discovered the priorities are:
2.3 Actions and points for consideration by the investigation lead when addressing the four strands are given in the supporting guidance: Checklist for information security breaches.
2.4 University Officers, Heads of Departments and Section Heads will work with relevant stakeholders, data protection and security specialists and the Information Security Board, where appropriate, to investigate any reported breach in their area of responsibility. They will assist in the timely reporting of breaches and remedial actions to the Director of Technology, Estates and Facilities and Information Security Board.
2.6 The Information Security Board will monitor and review information security incidents to identify recurring incidents and areas of risk. The review process will be used to identify requirements for new or changed policies, to update the University risk register and to identify any other relevant controls. The Data Protection Officer will determine notification to the Information Commissioner’s Office.
3.1 The Information Security Board, chaired by the Director of Technology, Estates and Facilities, will monitor the effectiveness of this method statement and carry out regular reviews.
|26 March 2014||Approved by Information Policy Executive|
|24 April 2014||Approved by Information Security Board|
|29 January 2016||Reviewed and approved by Information Security Board|
|23 March 2017||Reviewed and approved by Information Security Board|
|3 July 2017||Addition of 2.7 approved by Information Security Board|
|20 June 2018||Reviewed and approved by Information Security Board|
|4 March 2021||Reviewed and approved by Information Security Board|
Review cycle: Annual
Date of next review: March 2022