Data Breach Response Plan

🚨 EMERGENCY BREACH REPORTING

If you discover or suspect a data breach:

IMMEDIATELY contact the Data Protection Officer:

📞 Emergency: [DPO EMERGENCY NUMBER] (24/7)
📧 Email: dpo@clearmindseap.com
📧 Backup: [BACKUP CONTACT EMAIL]

Do NOT delay reporting - we have strict legal timeframes to report to the ICO (within 72 hours)

1. Introduction and Purpose

This Data Breach Response Plan establishes ClearMinds' procedures for identifying, assessing, responding to, and recovering from personal data breaches in compliance with UK GDPR and the Data Protection Act 2018.

A personal data breach can have serious consequences for affected individuals and for ClearMinds. This plan ensures we respond quickly, effectively, and in compliance with legal requirements, particularly the 72-hour notification requirement to the ICO.

1.1 What is a Data Breach?

Under UK GDPR Article 4(12), a personal data breach means:

"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

1.2 Types of Data Breaches

Confidentiality Breach: Unauthorised or accidental disclosure of or access to personal data
Availability Breach: Accidental or unauthorised loss of access to or destruction of personal data
Integrity Breach: Unauthorised or accidental alteration of personal data

Examples of Data Breaches:

Email sent to wrong recipient containing personal data
Loss or theft of device containing personal data
Ransomware attack encrypting clinical records
Unauthorised access to systems by hacker
Staff member accessing records without authorisation
Accidental publication of personal data on website
Physical records left in insecure location
Backup tapes lost or stolen

2. Data Breach Response Team

2.1 Core Response Team

Role	Name	Contact	Responsibilities
Data Protection Officer (Lead)	[DPO NAME]	[DPO CONTACT]	Overall incident management, ICO liaison, regulatory compliance
IT Security Lead	[IT LEAD NAME]	[IT CONTACT]	Technical investigation, containment, system security
Clinical Director	[CLINICAL DIRECTOR NAME]	[CLINICAL CONTACT]	Clinical impact assessment, patient safety, clinical communications
Legal Counsel	[LEGAL NAME / FIRM]	[LEGAL CONTACT]	Legal advice, liability assessment, regulatory response
Communications Lead	[COMMS LEAD NAME]	[COMMS CONTACT]	Internal/external communications, media liaison
Senior Management	[CEO/MD NAME]	[MANAGEMENT CONTACT]	Strategic decisions, board liaison, resource approval

2.2 Extended Team (as needed)

HR Director: Staff-related breaches, disciplinary matters
Insurance Broker: Professional indemnity and cyber insurance claims
Forensic Investigators: For serious cyberattacks
PR Agency: For major incidents requiring media management

3. Breach Response Timeline

Critical Timeframes (UK GDPR Requirements)

0-24 hours: Detection, containment, initial assessment, mobilise response team
Within 72 hours: Report to ICO (if required) - Article 33 UK GDPR
Without undue delay: Notify affected data subjects (if high risk) - Article 34 UK GDPR
Within 30 days: Complete full investigation and implement remedial actions

⚠️ Critical Requirement: If we cannot report to the ICO within 72 hours, we must provide reasons for the delay and submit the report as soon as possible thereafter. Delays must be justified and documented.

4. Phase 1: Detection and Initial Response (0-2 hours)

4.1 Breach Detection

Breaches may be detected through:

Automated security alerts and monitoring systems
Staff reports or concerns
Data subjects reporting issues
Third-party notifications (e.g., processor breach)
Media reports or public disclosure
Regulatory notifications
Audit findings

4.2 Immediate Actions (First Person Discovering Breach)

✅ Immediate Actions Checklist

STOP and CONTAIN: Immediately stop any ongoing breach activity if safe to do so
PRESERVE EVIDENCE: Do not delete, alter, or destroy any evidence. Take screenshots if appropriate
REPORT IMMEDIATELY: Contact DPO via emergency number [NUMBER] or email dpo@clearmindseap.com
DO NOT DISCUSS: Do not discuss the breach with anyone except the DPO or response team
DOCUMENT: Write down exactly what happened, when, and what you observed
SECURE AREA: If physical breach, secure the location and prevent access

4.3 DPO Initial Assessment (Within 1 hour)

Upon notification, the DPO will:

Confirm breach details and severity
Activate the Data Breach Response Team
Assign incident reference number
Open incident log and begin documentation
Initiate immediate containment measures
Determine if 72-hour clock has started (when organisation became aware)
Notify senior management

5. Phase 2: Containment and Assessment (2-24 hours)

5.1 Immediate Containment

IT Security Lead Actions:

Isolate affected systems to prevent further compromise
Change passwords and revoke compromised credentials
Disable compromised user accounts
Implement firewall rules to block malicious traffic
Preserve logs and forensic evidence
Secure physical perimeter if physical breach

5.2 Breach Assessment

The response team must assess:

Nature of the Breach

What type of breach occurred? (confidentiality, integrity, availability)
Was it accidental or malicious?
Is it a cyber incident, human error, or system failure?

Scope and Impact

What personal data was affected?
How many individuals are affected?
Does it include special category data (health data)?
Was the data encrypted or otherwise protected?
Was the breach internal or external?
Has the data been recovered or is it still at risk?

Risks to Individuals

What are the potential consequences for affected individuals?
Could it cause physical, material, or non-material damage?
Could it lead to discrimination, identity theft, or fraud?
Could it cause psychological distress or damage to reputation?
Could it affect vulnerable individuals (children, mental health patients)?

5.3 Risk Severity Assessment

Risk Level	Characteristics	ICO Report?	Data Subject Notification?
LOW	Minimal or no risk to individuals. Quick containment. No sensitive data. Internal breach with recovery.	NO (but log internally)	NO
MEDIUM	Some risk to individuals. Limited scope. Non-sensitive data or encrypted. Unlikely to cause significant harm.	YES (within 72 hours)	ASSESS (if risk mitigated, may not be required)
HIGH	Significant risk. Large-scale breach. Sensitive/special category data. Potential for serious harm (identity theft, discrimination, psychological harm).	YES (within 72 hours)	YES (without undue delay)
CRITICAL	Severe risk. Mass breach of health data. Children involved. High likelihood of serious harm. Media attention likely.	YES (URGENT - within 72 hours)	YES (URGENT - without undue delay)

6. Phase 3: Notification and Communication (24-72 hours)

6.1 ICO Notification (Article 33 UK GDPR)

When to Notify: Within 72 hours of becoming aware of a breach likely to result in a risk to individuals' rights and freedoms.

How to Notify: Via the ICO's online breach reporting tool at https://ico.org.uk/for-organisations/report-a-breach/

Information to Include in ICO Report:

Description of the breach: Nature of the breach, categories and approximate numbers of data subjects and records affected
Contact details: Name and contact details of the DPO or other contact point
Likely consequences: Description of the likely consequences of the breach
Measures taken: Description of measures taken or proposed to address the breach, including mitigation of possible adverse effects

Phased Reporting: If we cannot provide all information within 72 hours, we can submit an initial report and provide additional information in phases, explaining reasons for the delay.

6.2 Data Subject Notification (Article 34 UK GDPR)

When to Notify: Without undue delay if the breach is likely to result in a HIGH RISK to individuals' rights and freedoms.

Exceptions (when notification NOT required):

Appropriate technical and organisational protection measures were applied (e.g., encryption)
Subsequent measures taken ensure high risk is no longer likely to materialise
Notification would involve disproportionate effort (can use public communication instead)

Content of Data Subject Notifications:

Clear and Plain Language: Easy to understand, avoid technical jargon
Nature of Breach: Describe what happened in simple terms
Contact Point: DPO contact details for questions
Likely Consequences: What could happen as a result of the breach
Measures Taken: What we've done to address the breach
Recommended Actions: What individuals should do to protect themselves
Support Offered: Any support we're providing (e.g., credit monitoring)

Notification Methods:

Preferred: Direct communication (email, letter, phone call)
Alternative: Public announcement if direct communication impossible or disproportionate
Multiple Channels: Use several methods to ensure affected individuals are reached

6.3 Internal Communication

Staff: Brief affected staff; provide talking points; emphasise confidentiality
Board/Senior Management: Regular updates on incident status
Department Updates: Keep all relevant departments informed

6.4 External Communication

B2B Partners: Notify affected corporate clients (employers, insurance companies)
Processors: Notify any processors involved or affected
Professional Bodies: Notify relevant professional regulators if required
Insurance Provider: Notify cyber and professional indemnity insurers
Media: Prepared statements if media attention likely
Law Enforcement: Report to police if criminal activity involved

7. Phase 4: Investigation and Recovery (3-30 days)

7.1 Detailed Investigation

Conduct thorough investigation to determine:

Root Cause: What caused the breach? Technical failure? Human error? Malicious attack?
Timeline: Detailed chronology of events
Entry Points: How did the breach occur? What vulnerabilities were exploited?
Full Scope: Complete extent of data affected and individuals impacted
Contributing Factors: What systemic issues or weaknesses contributed?

7.2 Forensic Analysis

For serious incidents, consider engaging:

Forensic IT investigators
Cybersecurity experts
Independent auditors

7.3 Recovery Actions

Restore Systems: Recover affected systems from clean backups
Patch Vulnerabilities: Fix security weaknesses that allowed the breach
Enhance Security: Implement additional security measures
Monitor: Enhanced monitoring for further incidents
Support Affected Individuals: Provide ongoing support and information

7.4 Disciplinary Action

If breach resulted from staff misconduct or negligence:

Conduct disciplinary investigation per Disciplinary Policy
Consider sanctions from training to dismissal based on severity
Consider professional body reporting if required
Document all actions taken

8. Phase 5: Post-Incident Review and Improvement (30+ days)

8.1 Comprehensive Review

Within 30 days of breach resolution, conduct full post-incident review:

What Happened: Complete factual account
Response Effectiveness: What worked well? What didn't?
Communication Assessment: Were notifications timely and effective?
Lessons Learned: Key takeaways and insights
Recommendations: Concrete actions to prevent recurrence

8.2 Corrective and Preventive Actions

Policy Updates: Revise policies and procedures
Technical Controls: Implement new security measures
Staff Training: Additional training on identified weaknesses
Process Changes: Improve business processes
Third-Party Review: Review and update processor agreements

8.3 Action Plan

Create action plan with:

Specific actions required
Responsible person for each action
Deadlines for completion
Success criteria
Review dates to verify implementation

8.4 Documentation and Reporting

Complete incident report for breach log
Board report on incident and lessons learned
Update risk register
Share anonymised lessons with staff

9. Breach Documentation Requirements

ClearMinds maintains a comprehensive breach log documenting all breaches, regardless of whether ICO notification was required.

9.1 Breach Log Contents

For each breach, document:

Incident reference number and date discovered
Description of breach and data affected
Number of individuals affected
Risk assessment and severity rating
Timeline of key events
Actions taken to contain and mitigate
Whether ICO notification was made (and reasoning)
Whether data subjects were notified (and reasoning)
Lessons learned and corrective actions

9.2 Retention

Breach records retained for 7 years from breach date for accountability and ICO audit purposes.

10. Special Scenarios

10.1 Processor Breaches

If a processor experiences a breach affecting ClearMinds data:

Processor must notify ClearMinds without undue delay per Data Processing Agreement
ClearMinds (as controller) is responsible for ICO notification
Assess whether we have sufficient information to notify within 72 hours
Work collaboratively with processor on investigation and resolution
Review processor relationship and contract

10.2 Ransomware Attacks

Ransomware is both an availability breach and often a confidentiality breach:

DO NOT PAY RANSOM without explicit authorisation from CEO and DPO
Assume data has been exfiltrated unless proven otherwise
Engage cybersecurity forensics immediately
Report to National Cyber Security Centre (NCSC) and Action Fraud
Notify ICO within 72 hours
Consider if data subjects need notification (usually yes for health data)

10.3 Insider Threats

Breaches caused by malicious or negligent insiders:

Immediately revoke all system access
Preserve evidence (do not alert the individual initially)
Engage HR and consider police involvement
Review access logs to determine full extent
Consider injunction to prevent further disclosure
Disciplinary and potentially legal action

10.4 Physical Breaches

Loss or theft of devices or physical records:

Report to police immediately (obtain crime reference number)
Remote wipe devices if possible
Assess encryption status of device
Change passwords for any accounts accessible from device
Notify ICO if not encrypted or high-risk data

11. Training and Awareness

All staff receive annual data breach awareness training
Response team receives specialist incident response training
Annual breach simulation exercises ("tabletop exercises")
Regular updates on lessons learned from incidents

12. Testing and Review

Annual Testing: Simulated breach scenarios to test plan effectiveness
Annual Review: Full review of this plan
Post-Incident Review: Plan updated after every significant breach
Regulatory Review: Updated to reflect ICO guidance and legal changes

13. Related Documents

Data Protection Policy
Information Security Policy
Incident Response Plan (IT Security)
Business Continuity Plan
Disciplinary Procedure
Media Communications Protocol