Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

Assessing and reporting breaches

You have procedures to assess all security incidents and then report relevant breaches to the ICO within the statutory time frame.

Ways to meet our expectations:

  • You have a procedure to assess the likelihood and severity of the risk to individuals as a result of a personal data breach.
  • You have a procedure to notify the ICO of a breach within 72 hours of becoming aware of it (even when all the information is not yet available) and you notify the ICO on time.
  • The procedure includes details of what information must be given to the ICO about the breach.
  • If you consider it unnecessary to report a breach, you document the reasons why your organisation considers the breach unlikely to result in a risk to the rights and freedoms of individuals.

Can you answer yes to the following questions?

  • Are staff aware of the policies and procedures and are they easy to find?
  • Do staff understand how to conduct the risk assessment?
  • Do they know when a breach needs to be reported to the ICO?