Skip to main content

Step 12: Responding to a breach

Step 12: Responding to a breach

The Executive Committee is responsible for the security, integrity and confidentiality of all the data it holds. The Executive Committee is also obliged under GDPR to keep personal data safe and secure and respond promptly and appropriately to any data security breaches. Although all adult volunteers have a responsibility for the information they generate, manage, transmit and use in line with GDPR, it is the Executive Committee’s legal duty to secure personal and confidential data at all times.

Any person who knows or suspects that a breach of data security has occurred should report the breach immediately according to this Data Breach Response Plan.

It's vital that prompt action is taken in the event of any actual, potential or suspected breach of data security or confidentiality to avoid the risk of harm to young people or adult volunteers, damage to the Scouts operations and severe financial, legal and reputational costs to the Movement as a whole.

What is a personal Data Security Breach?

A data security breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by the Scout Group, District, County/Area/Region (Scotland) in any format. Personal data security breaches can happen for a number of reasons, including:

  • the disclosure of confidential data to unauthorised individuals
  • the loss or theft of portable devices or equipment containing identifiable personal, confidential or sensitive data e.g. PCs, USB, mobile phones, laptops, disks etc
  • the loss or theft of paper records
  • inappropriate access controls allowing unauthorised use of information
  • a suspected breach of the IT security
  • attempts to gain unauthorised access to computer systems, e.g. hacking
  • records altered or deleted without authorisation from the data ‘owner’
  • viruses or other security attacks on IT equipment systems or networks
  • breaches of physical security e.g. forcing of doors or windows into secure room or filing cabinet containing confidential information
  • confidential information left unlocked in accessible areas
  • the insecure disposal of confidential paper was
  • leaving IT equipment unattended when logged in to a user account without locking the screen to stop others accessing information
  • the publication of confidential data on the internet in error and accidental disclosure of passwords
  • misdirected emails or faxes containing identifiable personal, confidential or sensitive data

How to respond to a data breach?

In line with best practice, these five steps should be followed when responding to a data security breach:

Identification and initial assessment

1. Containment and recovery

2. Risk Assessment

3. Notification

4. Evaluation and response