Menu
Koszyk
No products in the cart.
Procedure for dealing with a breach of personal data protection
Introduction
Definition of a breach
Obtaining information on a suspected personal data breach
An employee’s conduct in the event of suspected personal data breach
Appendix 1
to the Handling Procedure
in violation of the protection of personal data
SAMPLE CATALOG OF VIOLATIONS AND INCIDENTS THREATEN TO THE SECURITY OF PERSONAL DATA
1.Forms of personal data security breach by an employee employed in data processing:
– in terms of knowledge:
1) Disclosure of the way the application and system work, and its security,
2) Disclosure of information about equipment and other IT infrastructure,
3) Allowing and creating conditions for anyone to obtain such knowledge, e.g. from observation or documentation,
– in terms of hardware and software:
1) Leaving the workplace and leaving the active application enabling access to the personal database,
2) Allowing to use the application enabling access to the personal database by any person other than the person to whom the identifier was assigned,
3) Disclosure of access passwords or leaving in any unsecured, and in particular in a visible place, a saved password to access a personal database or network,
4) Admitting to the use of computer hardware and software enabling access to the database by unauthorized persons,
5) Installing any software yourself,
6) Modifying system and application parameters,
7) Reading data carriers before checking them with an anti-virus program,
8) Loss of a computer or other data carrier (e.g. phone, tablet, USB),
– in the field of documents and images containing personal data:
1) Leaving documents in open rooms without supervision,
2) Storage of documents improperly secured against unauthorized access,
3) Improper disposal of documents containing personal data,
4) Allowing for excessive copying of documentation and loss of control over the copy,
5) Allowing other persons to read the contents of the screen of the monitor on which personal data is displayed,
6) Making copies of data on media and “taking” outside the data protection area without the consent and knowledge of the administrator,
7) Loss of control over a copy of personal data,
8) Loss of a folder containing data in the paper version,
– in terms of premises and infrastructure for the processing of personal data:
1) Enabling unauthorized persons to access the premises where personal data are processed,
2) Allowing that persons from outside CI employees connect any devices to the computer network, add housing elements for sockets and cable trays, or make any manipulations,
– in the scope of rooms with central computers and network devices:
1) Allowing or ignoring the fact that people from outside CI employees manipulate any computer network devices or cabling in public places (corridors, etc.),
2) Enabling unauthorized persons to access rooms with central computers or computer network nodes,
– another:
1) Change of data without the consent of the data subject,
2) Sending data to the wrong person (e.g. by addressing the e-mail incorrectly),
3) Unauthorized disclosure of data (e.g. electronically or, for example, by phone, when the interlocutor claims to be, for example, a police or office employee, trying to extract information),
4) Inappropriate data deletion (eg an administrator decides to sell old computers and before sale only deletes files on the desktop and empties the recycle bin without deleting data from the computer’s hard drive).
2.Forms of personal data security breach independent of human activity:
1) random events, e.g. flood, fire, heavy rain, very high temperatures, very high humidity, etc.,
2) events independent of human activity or not caused by it, e.g. equipment wear, aging of storage media, voltage changes in the network, loss of current, electrostatic charge accumulation, electromagnetic and radio disturbances, software defects.