This Procedure sets out the processes to be followed by TRIPS staff in the event that TRIPS experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.

1. Policy

This Procedure is governed by the TRIPS Privacy Policy.

2. Introduction

TRIPS is committed to managing personal information in accordance with the GDPR 2018  (the Act) and the TRIPS Privacy Policy.

This document sets out the processes to be followed by TRIPS staff in the event that TRIPS experiences a data breach or suspects that a data breach has occurred. A data breach involves the loss of, unauthorised access to, or unauthorised disclosure of, personal information.

Accordingly, TRIPS needs to be prepared to act quickly in the event of a data breach (or suspected breach), and determine whether it is likely to result in serious harm and whether it constitutes an NDB.

Adherence to this Procedure and Response Plan will ensure that TRIPS can contain, assess and respond to data breaches expeditiously and mitigate potential harm to the person(s) affected.

This document should be read in conjunction with TRIPS’s Privacy Policy.

3.  Process where a breach occurs or is suspected

3.1 Alert

A privacy or data breach is detected via the TRIPS configuration of Cloudflare, Wordfence and the server Firewall. Where a privacy data breach is known to have occurred (or is suspected) any member of TRIPS staff who becomes aware of this must, within 24 hours, alert a Senior Investigator and Managing Director their contact details are below.

It is also important to note that TRIPS staff members are responsible for the care of their personal devices when accessing the TRIPS website. This includes maintaining an up to date antivirus and malware scanning package. Should you require assistance with doing this, please contact a member of the team below.

Responsible team members:

● Kristina Andersen, Technological University of Eindhoven (project coordinator)
● Tally Hatzakis, TRI (Deputy Coordinator)

The Information that should be provided (if known) at this point includes:

  1. When the breach occurred (time and date)
  2. Description of the breach (type of personal information involved)
  3. Cause of the breach (if known) otherwise how it was discovered
  4. Which system(s) if any are affected?
  5. Whether corrective action has occurred to remedy or ameliorate the breach (or suspected breach)

3.2 Assess And Determine The Potential Impact

Once notified of the information above, the informed parties must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity. The Privacy Coordinator should be contacted for advice.

3.2.1 Criteria for determining whether a privacy data breach has occurred

  1. Is personal information involved?
  2. Is the personal information of a sensitive nature?
  3. Has there been unauthorised access to personal information, or unauthorised disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur?

For the purposes of this assessment the following terms are defined in the Privacy Policy: personal information, sensitive information, unauthorised access, unauthorised disclosure and loss.

3.2.2 Criteria for determining severity

  1. The type and extent of personal information involved
  2. Whether multiple individuals have been affected
  3. Whether the information is protected by any security measures (password protection or encryption)
  4. The person or kinds of people who now have access
  5. Whether there is (or could there be) a real risk of serious harm to the affected individuals
  6. Whether there could be media or stakeholder attention as a result of the breach or suspect breach

With respect to 3.2.2(e) above, serious harm could include physical, physiological, emotional, economic/financial or harm to reputation.

Having considered the matters in 3.2.1 and 3.2.2, the Web Developer must notify the TRIPS Team within 24 hours of being alerted under 3.1.

3.3 Web Developer To Issue Pre-Emptive Instructions

On receipt of the communication by the relevant member of the team under 3.2, the Web Developer (along with guidance from the hosting company) will take a preliminary view as to whether the breach (or suspected breach) may constitute an NDB. Accordingly, the Web Developer will issue pre-emptive instructions as to whether the data breach should be managed at the local level or escalated to the Hosting company. This will depend on the nature and severity of the breach.

3.3.1 Data breach managed at the organisational level

Where the Web Developer instructs that the data breach is to be managed at the local level, the relevant member of staff must:

  • ensure that immediate corrective action is taken, if this has not already occurred (corrective action may include: retrieval or recovery of the personal information, ceasing unauthorised access, shutting down or isolating the affected system); and
  • submit a report to the Managing Director within 48 hours of receiving instructions under 3.3. The report must contain the following:
    • Description of breach or suspected breach
    • Action taken
    • Outcome of action
    • Processes that have been implemented to prevent a repeat of the situation.
    • Recommendation that no further action is necessary

The Web Developer will be provided with a copy of the report and will sign-off that no further action is required.

The report will be logged by the Web Developer.

3.3.2 Data breach managed by the Hosting Company

Where the Web Developer instructs that the data breach must be escalated to the Hosting Company, the Web Developer will remain in constant contact with the Hosts and will provide a full report to the managing director of TRIPS.

3.4 Notification

If there are reasonable grounds, the Web Developer must prepare a prescribed statement and provide a copy to the Managing Director as soon as practicable (and no later than 30 days after becoming aware of the breach or suspected breach).

If practicable, TRIPS must also notify each individual to whom the relevant personal information relates. Where impracticable, TRIPS must take reasonable steps to publicise the statement (including publishing on the website).

3.6 Secondary Role Of The Response Team

  • Identify lessons learnt and remedial action that can be taken to reduce the likelihood of recurrence – this may involve a review of policies, processes, refresher training.
  • Prepare a summary
  • Consider the option of an audit to ensure necessary outcomes are effected and effective.

4.  Updates to this Procedure

This procedure is scheduled for review every year or more frequently if appropriate