The UK General Data Protection Regulations (GDPR) defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
This broad definition means that personal data breaches are very easy to commit. Common examples could include
- a misdirected email containing personal contact details,
- a lost or stolen laptop/mobile phone/USB stick.
- leaving Personal Data in a public place where others can access it
- an external computer hack
However, a breach may not always be as obvious as that.
Read these examples and consider the following:
1. Has a data breach occurred?
2. What immediate action needs to be taken?
3. What action should be taken in future?
- A couple are agents for an energy scheme where they receive a payment when people sign up through them to this scheme. They use the contact details in an old Church Directory to post information about this scheme to the homes of church members they know.
- The secretary of a group emails out information about future events as a group email to people they think might be interested. They do not use the BCC feature for the email addresses.
- The gift-aid secretary's laptop is stolen from a café. There is a file which contains the names and addresses of the gift-aid donors along with the amount of their donations over the years.
- The Circuit Preaching plan contains the contact details of all local preachers and the dates and venues of services in the circuit. It is posted out to those who do not have email accounts. One of the envelopes is badly damaged in the sorting office.
- A church sets up a Facebook Profile for their Youth Worker who accepts Friend requests from the parents of the young people they work with. The Youth Worker is later replaced and the new person is given access to the profile. The parents have not been informed of this change.
- Two people have a very similar work email address – both start with the same text. They frequently get emails meant for the other person.
If you believe that a breach has occurred, take any immediate action that you can to get theinformation back e.g.
- recall the email and ask the unintended recipient not to read it and to delete the email
- retrace your steps to find lost items
- contact the train or bus company if you think you left them on public transport
All data breaches must be recorded. You can download a Word file from this page to help with this.
You should also have a process for keeping track of all breaches, such as on a spreadsheet on a computer or kept in a filing cabinet. Make sure it is kept up to date.
Contact the Data Champion as soon as possible if you think that the breach needs to be reported by completing this online form: Reporting a breach (or see below).
Contact Trustees for Methodist Church Purposes (TMCP) firstname.lastname@example.org if you believe that it is a breach leading to loss of confidentiality or reputational damage so that they can handle this for the Managing Trustees as Data Controller