Jesus Youth JY UK Safeguarding
Section 9

Data Breach Procedures

Procedures for identifying, reporting, and managing personal data breaches at Jesus Youth UK, including ICO notification requirements.

What Is a Personal Data Breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes:

  • Confidentiality breaches — personal data is disclosed to or accessed by an unauthorised person (e.g., an email sent to the wrong recipient, a lost laptop)
  • Availability breaches — personal data is lost or destroyed and cannot be recovered (e.g., a ransomware attack, accidental deletion without backup)
  • Integrity breaches — personal data is altered without authorisation (e.g., records are tampered with)

Identifying a Breach

All staff and volunteers must be vigilant in recognising potential data breaches. Examples include:

  • Sending an email containing personal data to the wrong person
  • Loss or theft of a device (laptop, phone, USB drive) containing personal data
  • Unauthorised access to personal data files or systems
  • Paper records containing personal data being lost, stolen, or left in an insecure location
  • A cyber attack resulting in access to personal data
  • Verbal disclosure of personal data to an unauthorised person
  • Disposal of personal data without appropriate security measures

Internal Reporting

Any staff member or volunteer who becomes aware of a potential data breach must:

  1. Report it immediately to the Data Protection Lead at safeguarding@jesusyouth.co.uk
  2. Provide as much detail as possible, including:
    • What happened and when
    • What data is involved
    • How many individuals are affected (or an estimate)
    • What action, if any, has already been taken
  3. Not attempt to investigate the breach themselves or take actions that might compromise evidence
  4. Not notify affected individuals without authorisation from the Data Protection Lead

All breaches must be reported internally within 24 hours of discovery, regardless of how minor they may appear.

Assessment of Risk

Upon receiving a breach report, the Data Protection Lead will:

  1. Assess the nature and severity of the breach, including:
    • The type and sensitivity of the data involved
    • The number of individuals affected
    • The likely consequences for affected individuals
    • Whether the data is encrypted or otherwise protected
  2. Determine the risk to individuals, categorised as:
    • No risk — unlikely to result in any harm
    • Low risk — may cause minor inconvenience
    • High risk — likely to result in significant harm (e.g., financial loss, discrimination, identity theft)
  3. Take immediate steps to contain the breach and mitigate harm, such as:
    • Revoking access to compromised systems
    • Recovering lost devices or data
    • Changing passwords
    • Isolating affected systems

ICO Notification

Under Article 33 of the UK GDPR, we must notify the Information Commissioner’s Office (ICO) of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

The notification to the ICO will include:

  • A description of the nature of the breach
  • The categories and approximate number of individuals affected
  • The categories and approximate number of personal data records affected
  • The name and contact details of the Data Protection Lead
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach and mitigate its effects

If we are unable to provide all information within 72 hours, we will provide the information in phases without undue delay.

ICO breach reporting: ico.org.uk/make-a-complaint or telephone 0303 123 1113.

Communicating with Affected Individuals

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will communicate the breach to those affected without undue delay, as required by Article 34 of the UK GDPR.

The communication will include:

  • A clear, plain-language description of what happened
  • The name and contact details of the Data Protection Lead
  • A description of the likely consequences
  • Steps individuals can take to protect themselves
  • What we are doing to address the breach

Communication will be made directly to affected individuals by email, letter, or other appropriate means. Where direct communication is not possible, we may use a public notice or similar measure.

Breach Register

Jesus Youth UK maintains a Breach Register to record all personal data breaches, regardless of whether they are reported to the ICO. The register includes:

  • Date and time the breach was discovered
  • Date and time the breach was reported internally
  • Description of the breach
  • Data and individuals affected
  • Risk assessment outcome
  • Whether the ICO was notified (and if not, the rationale)
  • Whether affected individuals were notified
  • Actions taken to contain and remediate the breach
  • Lessons learned and any changes made to prevent recurrence

The Breach Register is maintained by the Data Protection Lead and is reviewed regularly to identify trends and improve our data protection practices.

Learning from Breaches

Following any data breach, the Data Protection Lead will:

  • Conduct a post-incident review to understand what happened and why
  • Identify any changes to processes, training, or systems needed to prevent recurrence
  • Update this policy and related procedures if necessary
  • Provide additional staff and volunteer training where a breach resulted from human error
  • Report findings and recommendations to the leadership team