This document consisting of 3 pages constitutes the policy for Managing Data Protection Management Breaches adopted by the Chambers of John McDonnell QC. References to “Chambers” are to those barristers’ chambers. References to “the Head of Chambers” and “the Senior Clerk” are to the holders of those positions from time to time.
There are four key steps to the Chambers’ data protection breach management plan:
1. Containment and recovery
2. Assessment and ongoing risk
3. Notification of breach
4. Evaluation and response
1. Containment and recovery
The Head of Chambers and reporting person must:
1. Take steps to recover any lost data and limit the damage that the breach can cause where possible;
2. Decide who will lead the investigation into the breach; and
3. Find out who needs to be aware of the breach and tell those persons what they are expected to do (if anything) to assist in the containment and recovery of the breach.
2. Assess the risks
The person leading the investigation must assess the potential adverse consequences of the breach for the individuals concerned (the individuals to whom the personal data in question pertains), the potential severity or scale of the breach and the likelihood of adverse consequences occurring.
3. Notification of breaches
The Chambers has a duty to report all data protection breaches that are likely to result in a risk to the rights and freedoms of individuals to the Information Commissioner’s Office (ICO).
The Head of Chambers or in the event of his absence the Senior Clerk or other suitable deputy is responsible for ensuring that all relevant data protection breaches are reported to the ICO without delay and no later than 72 hours after having become aware of it.
The Head of Chambers will report the breach to the ICO in accordance with the reporting methods set by the ICO.
Where deemed appropriate, the individuals affected by the data protection breach must also be informed. The investigating person must provide individuals with specific and clear information about what has happened and what is being done to address the breach. Advice should also be offered on any steps that the affected individuals can take to protect themselves. The individuals must be given contact details should they require further information or help.
Consideration must also be given as to whether any other third parties should be notified, including, for example, the Police, insurers, professional bodies, banks etc.
4. Evaluation and response
The final step is to evaluate the Chambers’ response to the data protection breach. It is important to establish whether the breach was caused by an isolated incident or is part of a wider systemic issue so that Chambers can try to prevent the same or a similar breach from occurring in the future.
Any lessons learned should be shared across Chambers as appropriate by communicating the details to the relevant members and staff of Chambers.
The Head of Chambers will review any records of data breaches periodically to establish any trends requiring further attention.
Recording a data protection breach
There must be a central record of all data protection breaches that occur. The Head of Chambers is responsible for maintaining a data protection breach register.
Deputies
In order to ensure that the functions and responsibilities set out above are carried out timeously, the Head of Chambers may from time to time nominate a deputy, being either the Senior Clerk or a member of Chambers to fulfil the responsibilities contained in this document. Any such nomination shall be made in writing save in the case of urgency.