Information

Purpose/Scope

The aim of this enabling guidance is to ensure that all OPFCC staff including third party contractors and volunteers understand their responsibilities to deal with data breaches and security incidents in an appropriate and timely manner. The scope includes any incident falling within the definitions below involving any data held by the organisation. This includes personal data as defined in the Data Protection Act 2018 and GDPR, as well as operational data that relates to the organisation and its business or assets (and therefore not specifically covered under Data Protection Law).

What is a security incident?

The definition of a security breach is an adverse situation that has caused damage to the organisation’s assets, reputation and/or personnel. The definition of a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed. The definition of a weakness is a situation or series of situations that has the potential to cause damage to the organisation’s assets, reputation and or personnel. All should be reported in the same manner using Form 1010.

This could cover a wide range of areas including, but not limited to:

• accidental or deliberate destruction/loss/modification of information
• accidental or deliberate unauthorised disclosure of information
• accidentally or deliberately disrupting OPFCC/Force/Fire Information Systems
• unauthorised access to OPFCC/Force/Fire information systems
• misuse of OPFCC/Force/Fire data or information
• theft or loss of OPFCC/Force/Fire information assets
• theft or loss of ID cards, door access fobs or security tokens
• Physical Breach e.g. unauthorised person in a building
• any other event which affects OPFC/Force/Fire information security

Reporting Information Security Incidents

All incidents should be reported using Form 1010; this is available via Force Forms and can also be found from the Intranet via Systems Menu and ISRAMS. The form can be completed by anyone with access to a force device and does not need to be completed by the affected individual; so, if a member of staff has had a laptop stolen their supervisor or another colleague can complete the form on their behalf.

The report should contain the details of the incident and in addition to basic 5WH (Who, What, When, Where, Why and How) the incident occurred it should also contain the details required for onward reporting to the ICO:

• the approximate number of individuals affected by a breach and the type of data.
• a description of the consequences of the personal data breach.
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

Whether or not personal data has been breached, reasonable remedial action should be taken immediately to contain the event, and any actions should be detailed in the Form 1010. Supervisors are copied in to Form 1010; the supervisor will default to as per Force Directory, but if this is not correct there is an option to nominate a different supervisor. The supervisor will be prompted to consider appropriate fast track actions. The notification will read as below:

“You are receiving this as the supervisor of the person submitting the report so that you can consider whether your support is required to help them address or manage this incident. This is for your awareness only; no specific action is required.

However, please give consideration to whether there are any other reasonable and appropriate fast track actions that should have been completed.

• A lost or stolen OPFCC/Force/Fire device or access card should be disabled by ISD or Estates and Facilities (via FCR out of hours).
• Temporary physical security arrangements should be put in place for insecure force buildings.
• Individuals who may be at risk due to a breach of their data may need safeguarding.

Where an event requires attendance by a police officer, for example a suspicious person on site, this should be logged immediately with Force Control Room and the incident number provided on the Form 1010.

Timeliness of reporting information security events

It is everyone’s responsibility to report suspected or observed security breaches as soon as possible. Where a significant breach occurs, there are onward reporting processes that have timescales associated with them. For example, serious breaches of personal data must be reported to the ICO within 72hrs; a ransomware attack that could affect other organisations must be reported immediately through Fast Time reporting mechanisms. These processes and timescales will be managed by Information Assurance leads on your behalf, but it is imperative that the report is made as soon as possible to ensure that appropriate action is taken dependent on the risk and impact. It is appropriate to complete some fast track actions first, such as getting a lost access card or IT device disabled to prevent it being used, but it is not appropriate to wait a week for a reply to an e-mail from colleagues to see if they have picked your kit up by mistake.

Management of Information Security Incidents and Improvements

Incident reports are automatically notified to the Data Protection Officer, the Head of Paid Service and the Director for Delivery. If you have completed Form 1010 you do not need to separately report to these people. A risk assessment will be undertaken to cover Information Security considerations such as the risk to operational data – personnel, buildings, operations, cases, etc. as well as Data Protection considerations such as whether the rights and freedoms of any individual have been adversely affected and whether onward reporting to the ICO is necessary. This assessment will then inform how the incident is managed. Priorities and considerations are:

• Safeguarding human life and personal safety.
• Protecting material in line with its classification (GSC).
• Protecting system from damage.
• Minimising disruption to police operations and the wider justice process.
• Managing the wellbeing of staff involved.

A low-risk matter where the appropriate action has already been taken may be closed with no further action required.

Where appropriate incidents may be referred to other forums, boards or departments for full ownership, or for specific elements to the be addressed. These can include:

• Referral to ICO and/or IOPC where the impact warrants this action.
• Referral to Professional Standards for assessment of corruption or conduct matters.
• Referral to HR and/or Line Managers for performance matters
• Review of process and procedure to minimise recurrence
• Communications messages to raise awareness of risks and issues and clarify correct procedures.
• Recommendations to Change and/or ISD to design improvements into new initiatives.

Monitoring and review

The senior owner will review the content of this guidance annually to ensure that this is relevant and up to date. The author has agreed that this document will be reviewed within 12 months of the effective date.