3. Contacting the interested parties, containment and recovery
Once the risk has been assessed, the dedicated personnel in charge will take actions to stop the breach and if necessary this may involve law enforcement agencies i.e. police.
The following containment measures will be followed:
- Stopping the system if the data breach is caused by a system failure
- Changing the users’ passwords and system configurations to contract access and use
- Considering whether internal or outside technical assistance is needed to remedy the system loopholes and/or stop the hacking
- Ceasing or changing the access rights of individuals suspected to have committed or contributed to the data breach
- Notifying the relevant law enforcement agencies if identity theft or other criminal activities are or will be likely to be committed
- Keeping the evidence of the data breach which may be useful to facilitate investigation and the taking of corrective actions
4. Notification of breaches
Aylin White Ltd appreciate the distress such incidents can cause. We endeavour to keep the data subject abreast with the investigation and remedial actions. In case of a personal data breach, without undue delay and where feasible we aim to notify the data subject within 72 hours of becoming aware of the breach and this include informing the ICO (Information Commissioner’s Office).
5. Notification of breaches
It is important not only to investigate the causes of the breach but also to evaluate procedures taken to mitigate possible future incidents. Aylin White Ltd attempt to learn from the experience, review how data collected is being handled to identify the roots of the problem, allow constant review to take place and to devise a clear strategy to prevent future recurrence.
The review will take into consideration:
- Ongoing improvement of security in the personal data handling processes
- The control of the access rights granted to individuals to use personal data. Are principals “need-to-know” and “need-to-access” being adopted
- The adequacy of the IT security measures to protect personal data from hacking, unauthorised or accidental access, processing, erasure, loss or use
- Ongoing revision of the relevant privacy policy and practice in the light of the data breach
- The effective detection of the data breach. The keeping of logs and trails of access enabling early warning signs to be identified
- The strengthening of the monitoring and supervision mechanism of data users, controllers and processors
- Review of the ongoing training to promote privacy awareness and to enhance the prudence, competence and integrity of the employees particularly those who act as controllers and processors
- Review of this policy and procedures listed.