DATA BREACH NOTIFICATION POLICY

Home / DATA BREACH NOTIFICATION POLICY

Music for Galway Data Breach Notification Policy Page 1 of 2
DATA BREACH NOTIFICATION POLICY
Policy statement
This policy sets out the procedures to be followed by Music for Galway in the event that personal data stored or processed is subject to a breach.
Definitions
 Personal data: Any information relating to an identified or identifiable natural person.
 A personal data breach: a breach of security that leads to the destruction, loss, alteration, unauthorised access to, or unauthorised disclosure of personal data.
 Processing: Applies to both automated personal data and to manual filing systems where personal information is accessible according to specific criteria.
 Data controller: A person, organisation, company or legal entity who controls and is responsible for keeping and the use of personal data on computer or in structured manual files.
 Data processor: A person, organisation, company or legal entity who processes personal data, but does not exercise responsibility for or control the personal data.
Detection of personal data breaches
The Executive Director must be informed as soon as a member of staff becomes aware of their PC, Laptop or mobile phone being hacked, lost or stolen.
The Executive Director must also be informed of a break-in to office spaces where personal records are held.
Responding to personal data breaches
Should a breach be detected, the Executive Director must be notified immediately.
The Executive Director will then follow the appropriate steps outlined in this policy and shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
Notification to supervisory authority where Music for Galway is the data controller
 In the case of a personal data breach which is likely to result in a risk to the rights and freedoms of data subjects, the controller shall notify the supervisory authority within 72 hours of becoming aware of the breach.
You can contact the Office of the Data Protection Commissioner at:
Telephone: +353(0)761 104 800 or Lo Call Number 1890 252 231
Email: info@dataprotection.ie
Postal Address: Data Protection Commission, Canal House, Station Road
Portarlington, R32 Ap23, Co. Laois
 Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Music for Galway Data Breach Notification Policy Page 2 of 2
 Where the breach is not deemed likely to result in a risk to the rights and freedoms of data subjects the Executive Director will take appropriate remedial action and document the breach.
The notification will contain;
 description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
 description of the likely consequences of the personal data breach
 description of the measures taken or proposed to be taken by us to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
 details of whether the data subjects have been notified
 the name and contact details of the Music for Galway contact where more information can be obtained
Notification to Music for Galway where the company is data processor
All data processors used by Music for Galway are obliged to notify us of a personal data breach in accordance with the relevant Data Protection Contract.
Notification to data subjects where Music for Galway is the data controller
In the case of a personal data breach which is likely to result in a risk to the rights and freedoms of data subjects, we shall notify the data subjects within 72 hours of becoming aware of the breach.
The notification will contain;
 description of the nature of the personal data breach including details of the personal data records concerned
 description of the likely consequences of the personal data breach
 description of the measures taken or proposed to be taken by us to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
 the name and contact details of the Music for Galway contact where more information can be obtained
Signature (Executive Director)
Date:
Review date: