Procedure for dealing with a breach of personal data protection

Introduction

1. Correct application of the procedure for dealing with a personal data breach requires knowledge of the applicable Personal Data Protection Policy of the Polish ISTDP Sentio Institute, in particular the expressions contained therein, such as e.g. Personal Data Administrator and understanding the principles of personal data processing.
2. The procedure for dealing with a breach of personal data protection contains detailed solutions to Chapter XV of the Personal Data Protection Policy “Personal Data Security Breach”, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation on the protection of personal data, hereinafter referred to as GDPR).

Definition of a breach

1. A breach of personal data protection is any event, dependent and independent on human will, causing a threat to the security of personal data, in particular:
   1. leading to the loss of data integrity (e.g. leaving documents containing data in public places)
   2. threatening the confidentiality of data (e.g. sending data by electronic means without securing access to files)
   3. threatening data accountability (e.g. using one access password by several people)
   4. the access to the data is at risk (e.g. loss of the flash drive containing the personal data, and the user of the medium has not made a backup).
2. An exemplary catalog of violations is included in the appendix to this Policy.
3. A breach of personal data protection is in particular considered when:
   1. a breach of the applicable internal regulations has been found,
   2. a breach of applicable law has been found,
   3. a breach of physical or IT security has been found,
   4. the condition of the computer hardware, the content of the personal data set, disclosed working methods, the way the program works or the quality of communication in the telecommunications network may indicate a breach of security of these data
   5. other circumstances indicating that an unauthorized disclosure of personal data processed by the entity may have taken place.

Obtaining information on a suspected personal data breach

1. The administrator may obtain information about a breach of personal data protection from various sources, in particular by informing about it by the person employed in the processing of data and obtaining information from the data processor, which pursuant to art. 33 paragraph. 2 GDPR, is obliged to report the infringement to the controller without undue delay.
2. Notification of the processing entity takes place on the terms set out in separate data processing agreements.

An employee’s conduct in the event of suspected personal data breach

1. The Administrator should be notified of any suspected violation of personal data protection.
2. Form of notification:
   1) The employee or his supervisor informs the Administrator by e-mail
3. The notification should be made immediately, but not later than within 24 hours from the finding of a suspected personal data breach.
4. Any employee who finds a data breach suspected is obliged, as far as possible, to take steps necessary to stop the effects of the breach.

Appendix 1
to the Handling Procedure
in violation of the protection of personal data

SAMPLE CATALOG OF VIOLATIONS AND INCIDENTS THREATEN TO THE SECURITY OF PERSONAL DATA

1.Forms of personal data security breach by an employee employed in data processing:

– in terms of knowledge:
1) Disclosure of the way the application and system work, and its security,
2) Disclosure of information about equipment and other IT infrastructure,
3) Allowing and creating conditions for anyone to obtain such knowledge, e.g. from observation or documentation,

– in terms of hardware and software:
1) Leaving the workplace and leaving the active application enabling access to the personal database,
2) Allowing to use the application enabling access to the personal database by any person other than the person to whom the identifier was assigned,
3) Disclosure of access passwords or leaving in any unsecured, and in particular in a visible place, a saved password to access a personal database or network,
4) Admitting to the use of computer hardware and software enabling access to the database by unauthorized persons,
5) Installing any software yourself,
6) Modifying system and application parameters,
7) Reading data carriers before checking them with an anti-virus program,
8) Loss of a computer or other data carrier (e.g. phone, tablet, USB),

– in the field of documents and images containing personal data:
1) Leaving documents in open rooms without supervision,
2) Storage of documents improperly secured against unauthorized access,
3) Improper disposal of documents containing personal data,
4) Allowing for excessive copying of documentation and loss of control over the copy,
5) Allowing other persons to read the contents of the screen of the monitor on which personal data is displayed,
6) Making copies of data on media and “taking” outside the data protection area without the consent and knowledge of the administrator,
7) Loss of control over a copy of personal data,
8) Loss of a folder containing data in the paper version,

– in terms of premises and infrastructure for the processing of personal data:
1) Enabling unauthorized persons to access the premises where personal data are processed,
2) Allowing that persons from outside CI employees connect any devices to the computer network, add housing elements for sockets and cable trays, or make any manipulations,

– in the scope of rooms with central computers and network devices:
1) Allowing or ignoring the fact that people from outside CI employees manipulate any computer network devices or cabling in public places (corridors, etc.),
2) Enabling unauthorized persons to access rooms with central computers or computer network nodes,

– another:
1) Change of data without the consent of the data subject,
2) Sending data to the wrong person (e.g. by addressing the e-mail incorrectly),
3) Unauthorized disclosure of data (e.g. electronically or, for example, by phone, when the interlocutor claims to be, for example, a police or office employee, trying to extract information),
4) Inappropriate data deletion (eg an administrator decides to sell old computers and before sale only deletes files on the desktop and empties the recycle bin without deleting data from the computer’s hard drive).

2.Forms of personal data security breach independent of human activity:
1) random events, e.g. flood, fire, heavy rain, very high temperatures, very high humidity, etc.,
2) events independent of human activity or not caused by it, e.g. equipment wear, aging of storage media, voltage changes in the network, loss of current, electrostatic charge accumulation, electromagnetic and radio disturbances, software defects.

3. Phenomena showing a possible breach of personal data protection:
   1) Traces of manipulations with computer network systems or computers,
   2) Presence of new cables of unknown purpose or origin,
   3) Unannounced changes in the appearance or behavior of the application used to process personal data,
   4) Unexpected, unexplainable changes to the database content,
   5) Traces of break-in into the rooms where personal data are processed,
   6) A non-inventoried means of information processing was used (not owned by the employer),
   7) The appearance of unauthorized information on the website.