Policy adopted: April 3rd 2018
Last review: 3/3/26
Next review: March 2028

1. Purpose

Cropwell Bishop Parish Council recognises the importance of protecting personal data and responding promptly and effectively to any personal data breach.

This policy sets out how the Council will identify, report, manage, and record personal data breaches in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Definition of a Personal Data Breach

A personal data breach is defined under UK GDPR as:

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Examples include:

access by an unauthorised third party
sending personal data to an incorrect recipient
loss or theft of devices containing personal data
alteration of personal data without permission
accidental deletion or loss of personal data
loss of availability of personal data

3. Responsibilities

The Parish Council, as the Data Controller, is responsible for ensuring personal data breaches are managed appropriately.

Parish Clerk

The Parish Clerk has day-to-day responsibility for managing personal data breaches and ensuring appropriate action is taken.

Data Protection Officer (DPO)

The Council has appointed an external Data Protection Officer who provides independent advice and supports the Council in assessing breaches and determining whether notification to the ICO or affected individuals is required.

External IT Support Provider

The Council’s IT support provider may assist with:

identifying and investigating breaches
containing incidents
restoring systems or data
implementing technical measures to mitigate risks

4. Reporting a Breach

Any councillor, employee, or volunteer who becomes aware of a potential personal data breach must report it immediately to the Parish Clerk.

The Parish Clerk will then notify the Data Protection Officer without delay.

Prompt reporting is essential to allow the Council to determine whether the breach must be reported to the Information Commissioner’s Office (ICO) within the required 72-hour timeframe.

5. Managing a Breach

When a breach is identified the Council will take appropriate steps to:

Contain the breach
Prevent further loss or disclosure of personal data where possible.
Assess the breach
Determine:
- the type of data involved
- the number of individuals affected
- the potential impact on individuals
Mitigate the impact
The Council’s IT support provider may assist with technical measures to secure systems and reduce the risk of further harm.
Determine notification requirements
In consultation with the Data Protection Officer.

6. Notification to the ICO

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, the Council will notify the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

If notification is delayed beyond 72 hours, the reasons for the delay will be documented.

When reporting a breach to the ICO the Council will provide:

a description of the nature of the breach
the categories and approximate number of data subjects affected
the categories and approximate number of personal data records concerned
the name and contact details of the Data Protection Officer
the likely consequences of the breach
measures taken or proposed to address the breach and mitigate possible adverse effects

7. Notification to Individuals

Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the Council will inform the affected individuals without undue delay.

The communication will include:

the nature of the breach
contact details of the Data Protection Officer
the likely consequences of the breach
measures taken or proposed to address the breach

Notification to individuals may not be required if:

appropriate technical measures (such as encryption) have rendered the data unintelligible
subsequent measures have ensured that the high risk is no longer likely to materialise
it would involve disproportionate effort, in which case a public communication may be made instead

8. Data Processors

Where a data processor acting on behalf of the Council becomes aware of a personal data breach, they must notify the Council without undue delay.

It remains the responsibility of the Council, as Data Controller, to determine whether the breach must be reported to the ICO or affected individuals.

9. Record of Data Breaches

The Council will maintain a record of all personal data breaches, including breaches that do not require notification to the ICO.

The breach record will include:

date of breach
description of the breach
type of personal data involved
number of individuals affected (where known)
risk assessment outcome
whether the breach was reported to the ICO
whether individuals were notified
actions taken to contain and mitigate the breach
measures taken to prevent recurrence

Maintaining a breach log helps the Council identify patterns and improve the protection of personal data.

10. Learning from Breaches

Following any breach, the Council will review the circumstances of the incident and consider whether improvements are needed to:

policies and procedures
technical security measures
staff awareness and training
supplier or processor arrangements

11. Complaints

Individuals who believe their personal data has been handled incorrectly may contact the Parish Clerk or the Data Protection Officer.

Individuals also have the right to complain to the Information Commissioner’s Office (ICO).

ICO contact details:

Website: https://ico.org.uk
Telephone: 0303 123 1113

12. Review of this Policy

This policy will be reviewed periodically to ensure it remains consistent with legal requirements and the Council’s operational practices.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cropwell Bishop Parish Council

Serving the parish of Cropwell Bishop

Data Breach Policy