1.1 This method statement describes elements to consider and address in the event of data loss or an information security breach. It will assist the University in determining appropriate courses of action if a security breach involving personal or confidential data occurs and dealing with any security breach effectively. It forms part of the University’s Information Security and Data Protection policies.
1.2 Data loss and security breaches can happen for a number of reasons and occur in different contexts. They may encompass more than personally identifiable information (e.g. trade secrets or intellectual property, denial of service, technical malfunctions).
1.3 The University must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal information. A breach management policy constitutes one of these measures and supports the University’s obligations under the seventh Data Protection Principle where personal information is involved.
1.4 Breaches of information security, duties of care, confidentiality and integrity (including inappropriate access to or loss of research data) constitute unacceptable research conduct, as governed by the University’s Policy on Research Integrity and its research and academic misconduct policies.
1.5 The method statement should be used alongside policy and guidelines issued by the University of York.
2.1 Breaches of information security must be reported as soon as discovered and notified in accordance with the reporting protocols and principles given in the University’s Incident Management Policy (see 4.1).
2.2 Breaches of information security must be reported to the Data Protection Officer who will take appropriate action and inform the relevant authorities (firstname.lastname@example.org; +44 (0)1904 323869). Where a breach involves research data, the Pro-Vice-Chancellor for Research will be notified and for IT security emergencies the University's Computer Emergency Response Team will be alerted.
2.3 Breach management has four important strategic elements. When a security breach is discovered the priorities are:
2.4 Actions and points for consideration by the investigation lead when addressing the four strands are given in the supporting guidance: ‘Checklist for an information security breach’.
2.5 University Officers, Heads of Departments and Section Heads will work with relevant stakeholders, data protection and security specialists and the Information Security Board to investigate any reported breach in their area of responsibility. They will assist in the timely reporting of breaches and remedial actions to the Director of Information Services and Information Security Board.
2.7 The Information Security Board will monitor and review information security incidents to identify recurring incidents and areas of risk. The review process will be used to identify requirements for new or changed policies, to update the University risk register and to identify any other relevant controls. The Director of Information Services as Chair will determine notification to the Information Commissioner’s Office.
3.1 The Information Security Board, chaired by the Director of Information Services, will monitor the effectiveness of this method statement and carry out regular reviews.
|26 March 2014||Approved by Information Policy Executive|
|24 April 2014||Approved by Information Security Board|
|29 January 2016||Reviewed and approved by Information Security Board|
|23 March 2017||Reviewed and approved by Information Security Board|
|3 July 2017||Addition of 2.7 approved by Information Security Board|
|20 June 2018||Reviewed and approved by Information Security Board|
Review cycle: Annual
Date of next review: March 2019