Method statement – Data loss and information security breach management

1. Introduction

1.1 This method statement describes elements to consider and address in the event of data loss or an information security breach. It will assist the University in determining appropriate courses of action if a security breach involving personal or confidential data occurs and dealing with any security breach effectively. It forms part of the University’s Information Security and Data Protection policies.

1.2 Data loss and security breaches can happen for a number of reasons and occur in different contexts. They may encompass more than personally identifiable information (e.g. trade secrets or intellectual property, denial of service, technical malfunctions).

1.3 The University must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal information. A breach management policy constitutes one of these measures and supports the University’s obligations under the seventh Data Protection Principle where personal information is involved.

1.4 Breaches of information security, duties of care, confidentiality and integrity (including inappropriate access to or loss of research data) constitute unacceptable research conduct, as governed by the University’s Policy on Research Integrity and its research and academic misconduct policies.

1.5 The method statement should be used alongside policy and guidelines issued by the University of York.

2. Breach management

2.1 Breaches of information security must be reported as soon as discovered and notified in accordance with the reporting protocols and principles given in the University’s Incident Management Policy (see 4.1).

2.2 Breaches of information security must be reported to the Data Protection Officer who will take appropriate action and inform the relevant authorities (dataprotection@york.ac.uk; +44 (0)1904 323869). Where a breach involves research data, the Pro-Vice-Chancellor for Research will be notified and for IT security emergencies the University's Computer Emergency Response Team will be alerted.

2.3 Breach management has four important strategic elements. When a security breach is discovered the priorities are:

  1. containment and recovery, to limit as far as possible any damage.
  2. assess the risks associated with the breach. A risk assessment will help inform decisions about remedial actions and notification.
  3. notifying the appropriate people/organisations that a breach has occurred.
  4. understand the causes and evaluate the effectiveness of its response to the incident, revising as necessary its information security measures in the light of any findings.

2.4 Actions and points for consideration by the investigation lead when addressing the four strands are given in the supporting guidance: ‘Checklist for an information security breach’.

2.5 University Officers, Heads of Departments and Section Heads will work with relevant stakeholders, data protection and security specialists and the Information Security Board to investigate any reported breach in their area of responsibility. They will assist in the timely reporting of breaches and remedial actions to the Director of Information Services and Information Security Board.

2.6 Departments holding data supplied by a third-party organisation, where there is a contractual duty to report an incident to that organisation within a particular timeframe, must respect the reporting timescales and guidelines agreed in the governing agreement or terms of use, having first alerted and (wherever possible) consulted the Director of Information Services.

2.7 The Information Security Board will monitor and review information security incidents to identify recurring incidents and areas of risk. The review process will be used to identify requirements for new or changed policies, to update the University risk register and to identify any other relevant controls. The Director of Information Services as Chair will determine notification to the Information Commissioner’s Office.

3. Oversight

3.1 The Information Security Board, chaired by the Director of Information Services, will monitor the effectiveness of this method statement and carry out regular reviews.

4. Policy and implementation documents

4.1 Information Security Policy – Incident management policy

4.2 Guidance - Checklist for information security breach

Document history and status

26 March 2014 Approved by Information Policy Executive
24 April 2014 Approved by Information Security Board
29 January 2016 Reviewed and approved by Information Security Board
23 March 2017 Reviewed and approved by Information Security Board
3 July 2017 Addition of 2.7 approved by Information Security Board
20 June 2018 Reviewed and approved by Information Security Board

Status

Review cycle: Annual

Date of next review: March 2019