Draft: Millwood Bowling Club: Data Breach Procedure
1. Definition of a Breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of member data.
- Examples: A lost USB stick containing member addresses, sending a club-wide email where all addresses are visible, or a break-in at the clubhouse where membership forms are stolen.
2. Immediate Response (The First 24 Hours)
Once a potential breach is identified, the Data Protection Officer (DPO) or a designated Committee Member must:
- Contain: Take immediate steps to stop the leak (e.g., change passwords, remote-wipe a device, or ask a recipient to delete an incorrectly sent email).
- Assess: Determine what data was involved and how many members are affected.
- Record: Log the breach in the club’s Internal Breach Register, even if it doesn't need to be reported externally.
3. Risk Assessment Matrix
The Committee must decide if the breach needs to be reported to the Information Commissioner’s Office (ICO).
| Risk Level | Description | Action Required |
| Low Risk | Unlikely to result in a risk to members (e.g., an encrypted file is lost). | Record internally; no notification needed. |
| Medium Risk | Could cause inconvenience (e.g., names and phone numbers leaked). | Notify affected members; record internally. |
| High Risk | Could result in identity theft or fraud (e.g., bank details or health info leaked). | Must notify the ICO and affected members. |