Last Updated: 17 August 2018

SPCE is required under the Data Protection Act 2018 and under the General Data Protection Regulation 2018 to ensure the security and confidentiality of all the personal and sensitive personal data it processes including that processed by third parties acting on its behalf.  SPCE takes this very seriously and for this reason we have implemented a Data Breach Policy.


Extreme care should be taken by staff to protect the personal data they work with and to avoid the unauthorised disclosure or loss of personal data.  


Responsibilities within SPCE


  1. Within SPCE the appropriate person who has overall responsible for any breaches is the CEO Leon Ifayemi and any breach should be notified to him at  


Legislative framework


  1. There are eight Data Protection Principles contained in the Data Protection Act which must be complied with when processing personal data. Failure to comply with any of these Principles is a breach of the Data Protection Act.  


  1. Furthermore this framework seeks to both work to UK standard but also in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), enacted May 25, 2016, replaces the EU Data Protection Directive (Directive 95/46/EC) (EU Directive).


The Seventh Data Protection Principle


4. This policy is concerned with the Seventh Data Protection Principle: ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’


5. Examples of a breach of this Principle would include:


On an individual basis:


  • personal data accidentally being sent to someone inside or outside of the SPCE (either internally or externally) who does not have a legitimate need to see it;

  • databases containing personal data being compromised, for example being illegally accessed by individuals outside the SPCE;

  • Unauthorised access to the Student, Landlord, Agent and University information or records;

  • loss or care file, theft of laptops, mobile devices, or paper records containing personal data;

  • staff accessing or disclosing personal data outside the requirements or authorisation of their job;

  • being deceived by a third party into improperly releasing the personal data of another person; and

  • the loss of personal data due to unforeseen circumstances such as a fire or flood.


On a system wide level:


  • Data breach as a result of a hack/ security breach

  • Theft or access given to central user database

  • Abuse of access to account leading to prolonged access


The difference between a security breach and a data breach and the notification process to follow


6. A data breach relates to the loss of personal data and should be notified following the procedure described. A security breach relates to the loss of equipment containing personal data. Where a security breach has been notified that also involves personal data staff must also follow the data breach policy.


Action to be taken in the event of a data breach


7. On discovery of a data breach the following high-level actions should be taken: -


  • Containment and recovery:  how can the exposure be mitigated. Is the breach ongoing, if so how can it be stopped?

  • Assessing the risk: what type of data has been lost? What is the risk to the individuals?

  • Notification of breach: To the Information Commissioners Office and Notification of any affected residents and user.

  • Evaluation and response: review of the breach.


Who is responsible for action?


8. The individual committing the breach, management within SPCE or the owner of personal data such as a Student, University, Landlord or Agent.


SPCE together with any affected customers/owners of personal data will discuss who is the most appropriate person to take such action, this will involve determining the identity of the controller for the breach.


To determine the identity of the data controller for the purpose of the data security breach. The data controller is the party that determines the purpose for, and manner in which personal data is processed. Which party or parties this applies to may not always be obvious.


There may be more than one data controller, particularly where, for example, shared services are involved. This is also common in relation to pensions data, for both the public body employer, HRMC and the pension trustees to be data controllers for the same personal data.


Where there is more than one data controller, both parties may be liable for breach of the Security Principle.


In the event that one or more SPCE customers are affected then SPCE will inform the customers and a communication will be agreed between parties to send to those affected.  If the information relates to students from a particular University then we will consider if it is appropriate to notify the University and work with them to manage the breach and PR/communications regarding this.


To assist in deciding then you can ask the following questions:


  • Did the breach occur in relation to the SPCE database or through access to their software?

  • Did the breach occur at SPCE offices?

  • Or did the breach occur due to the actions of one of partners or suppliers?

  • Who is the best person to take the lead on the response and how can the exposure be minimised?


Action to be taken


9. The immediate priority is to contain the breach and limit its scope and impact, and mitigate any breach. Below are some suggested actions in terms of specific breaches.


10. When a breach is noticed then the following information should be collected and if it affects a particular client then they should be notified as soon as practically possible and provided the relevant information which should include:


· date and time of the breach;

· date and time breach detected;

· who committed the breach;

· details of the breach and what personal data is involved;

· number of data subjects involved; and

· details of actions already taken in relation to the containment and recovery.


Under GDPR you have 72 hours to notify the ICO of a breach, as such it is imperative that you respond in a timely manner.


Specifics steps to be taken in particular scenarios


Below is some guidance to be taken in relation to particular forms of data/ security breach.


Unauthorised distribution of personal data


11. Where personal data has been sent to someone not authorised to see it, or contractor has accidently taken confidential personal data offsite, staff should:


· tell the recipient not to pass it on or discuss it with anyone else;

· tell the recipient to return it where possible, or if sent out by email to destroy or delete the personal data they have received and get them to confirm in writing that they have done so;

· warn the recipient of any implications if they further disclose the data; and

· inform the data subjects whose personal data is involved what has happened so that they can take any necessary action to protect themselves.


Compromised Systems


12. Where personal data is store on compromised systems or where intruders may have accessed or the potential to access personal data. Staff should:


·Make sure that no-one can access or alter compromised systems.

  • Isolate compromised systems from your network and unplug any network cables – without turning the systems off. 

  • If using a wireless network, change the SSID (Service Set Identifier) on the wireless access point and other systems that may be using this wireless network (but not on any of the systems believed to be compromised).

  • Preserve all logs and similar electronic evidence, e.g. logs from your firewall, anti-virus tool, access control system, web server, application server, database, etc.

  • Perform a back-up of your systems to preserve their current state – this will also facilitate any subsequent investigations.

  • Keep a record of all actions you take.

  • Stay alert for further indications of compromise or suspicious activity in your environment, or that of your third parties.

  • Seek advice before you process any further payment card transactions.

  • If you can, gather details of all compromised or potentially compromised payment card numbers (the ‘accounts at risk’). 


Loss of Equipment


  • The theft or loss of an asset, such as a PC, laptop or mobile device, must be reported immediately to a member of the management team and local law enforcement. This includes losses/thefts outside of business hours and at weekends.

  • If the device that is lost or stolen contained sensitive or payment card data, and the device is not encrypted, SPCE will complete an analysis of the sensitivity, type and volume of data stolen, including any potentially exposed payment card numbers.

  • Where possible, the respondents will use available technology/software to lock down/disable lost or stolen mobile devices (e.g. smart phones, tablets, laptops, etc.) and initiate a remote wipe. Evidence should be captured to confirm this was successfully completed.


Malware (or Malicious Code)


  • Disconnect devices identified with malware from the network immediately.

  • Examine the malware to identify the type (e.g. rootkit, ransomware, etc.) and establish how it infected the device. This will help you to understand how to remove it from the device.

  • Once the malware has been removed a full system scan must be performed using the most up-to-date signatures available, to verify it has been removed from the device.

  • If the malware cannot be removed from the device (as is often the case with rootkits) it should be rebuilt using original installation media or images. Prior to restoration from back-up media/images you must verify that the back-up media/images are not infected by the malware.

  • Protect the system(s) to prevent further infection by implementing fixes and/or patches to prevent further attack. 


Assessing a breach


13. Questions to ask yourself in relation to reducing the risk/exposure:


  • Who is affected and who needs to be informed regarding the breach asap?

  • Can any access rights be revoked to reduce the exposure?

  • Is it possible to contain the breach by shutting of the affected systems or closing down access?

  • Would contacting the student, landlord, university or agency assist in reducing the risk/ exposure?

  •  For example, are there risks to physical safety, reputation or financial loss?

  • What could happen if the personal data is used inappropriately or illegally?

  • For personal data that has been lost or stolen, are there any protections in place such as encryption?

  • Are there reputational risks from a loss of public confidence in the service the SPCE provides?


Notifying the Information Commissioner


Who is responsible for action?


14. Under the GDPR all breaches should be notified to the relevant authority. This may in some circumstances be a different person from the one above who has to respond to the breach.  As such SPCE together with any third parties involved will assess whether a breach has occurred and if so who is the relevant authority to be notified i.e. whether this is the ICO. And if so who is responsible for notifying the ICO.


15. In terms of the third parties such, assessment should be made as to who has been affected, the nature of the data and the amount of data involved.


16. Responsibility for notifying the ICO in the event of a data breach by SPCE rests with our CEO Leon Ifayemi who will complete a breach notification form and manage the process.


Breach Review and Improvement


17. Once the breach has been dealt with the cause of the breach needs to be considered. There may be a need to update policies and procedures, or to conduct additional training or a review surrounding the circumstances of the breach.