GDPR & Privacy Policy
PRIVACY POLICY
MITOS is committed to the protection of all personal data that it collects, stores and processes about clients, schools, companies, parents, carers, visitors and other individuals. This policy applies to all personal data regardless of its format. MITOS must process personal data according to the Data Protection Principles set out in the Data Protection Act 2018. This requires MITOS to collect and use data fairly, to store it safely and not to disclose it to any other person unlawfully. The requirement for MITOS to comply with this Act, in protecting the rights and privacy of individuals, imposes certain responsibilities on those who have access to the data, to understand their responsibilities and the implications of data misuse.
1. Purpose and Scope
This policy meets the requirements of the General Data Protection 2018 (hereafter referred to as GDPR), the Data Protection Act 2018 (hereafter referred to as DPA) and is based on guidance published by the Information Commissioner’s Office (hereafter referred to as ICO) and the ICO’s Code of Practice for Subject Access Requests and Reporting of Data Breaches. MITOS is the Data Controller for the purposes of GDPR and DPA and is registered with the ICO (Registration No. ZB722956).
Marie El-Khazen (Director) is the data controller under the DPA and is ultimately responsible for implementation of the DPA. She is also the Data Protection Officer, who provides MITOS’ primary contact to the Information Commissioner, and is responsible for ensuring provision of suitable DPA advisory, training and awareness services, DPA request handling, ensuring compliance with Information Commissioner, and for keeping the Directors aware of relevant DPA issues.
3. Governance
This policy has been approved by the Directors and it will be reviewed annually with other policies and guidelines.
4. Rights of staff, clients and third parties
MITOS will ensure that the rights of people about whom the information is held can be fully exercised under the Regulation. MITOS will provide individuals with a copy of the information held about them within one month of receiving a request (subject access). This period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
On receiving a subject access request MITOS will check and require evidence of the identity of the individual and any further information required to isolate the records of that individual.
Where a subject access request has a broad scope, MITOS may ask for more details from the data subject in order to locate the information that is of particular interest. Where a large volume of information is held, MITOS may seek to make the information available in ways other than providing a copy. This could include arranging an appointment for the data to be inspected. In addition to the personal data itself, the individual will be provided with any supporting information that is needed to understand the data held, and the processing of it.
Where information located as part of a subject access request (section 14) contains personal data about a third party, information will not be released unless the requirements set out in section 8.1 are met. The introduction of the right of access to non-personal information held by MITOS under the Freedom of Information Act 2000 may also need to be considered. This is because some requests may be for a combination of personal and non-personal information.
MITOS will comply immediately with a request from an individual to cease sending them marketing or consultation information.
Requests from individuals to correct, rectify, block, or erase information that they regard as wrong information or to stop processing that is causing damage or distress will be considered by MITOS on a case by case basis. The individual concerned will be fully informed of the resulting decision and the reasons for it.
An individual wishing to exercise any of their rights under the GDPR should put their request in writing to MITOS.
5. Roles and Responsibilities
The Directors have overall responsibility for ensuring that MITOS complies with all relevant data protection obligations. The Data Protection Officer (DPO) is responsible for overseeing the implementation of this policy, monitoring compliance with data protection law, and developing related policies and guidelines where applicable.
The MITOS team (including staff, consultants and contractors) are all responsible for:
- collecting, storing and processing any personal data in accordance with this policy;
- informing MITOS of any changes to their personal data, such as a change of address;
- contacting the DPO in the following circumstances:
- with any questions about the operation of this policy, data protection law, retaining personal data or keeping personal data secure;
- if they have any concerns that this policy is not being followed;
- if they are unsure whether or not they have a lawful basis to use personal data in a particular way;
- if they need to rely on or capture consent, draft a privacy notice, deal with data protection rights invoked by an individual, or transfer personal data outside the European Economic Area;
- if there has been, or they suspect, a data breach;
- whenever they are engaging in a new activity, including the procurement of new technologies or equipment, that may affect the privacy rights of individuals;
- if they need help with any contracts or sharing personal data with third parties.
6. Data Protection Principles
Personal data must be:
- used lawfully, fairly and transparently;
- used for limited, specifically stated purposes;
- used in a way that is adequate, relevant and not excessive;
- accurate;
- kept for no longer than is absolutely necessary;
- handled according to people’s data protection rights;
- kept safe and secure.
7. Collecting personal data
MITOS collects and processes personal data where they have a lawful basis (legal reason) to do so under Article 6 of GDPR. The lawful bases are:
- Contract - the data needs to be processed to fulfil a contract between MITOS and an individual, or where the individual has asked MITOS to take specific steps before entering into a contract;
- Legal obligation - to comply with the law i.e. Education Act 1996;
- Public interest - to allow MITOS to perform a task in the public interest or official function when providing education;
- Vital interests - to prevent someone from being seriously harmed or killed;
- Legitimate interests - to collect and process information necessary (except when unfair to an individual). MITOS has a legitimate interest in:
- Providing educational support;
- safeguarding and promoting client welfare;
- promoting the objects and interests of MITOS. This includes fundraising and marketing through the website and social media;
- ensuring the efficient operation of MITOS and that all relevant legal obligations of MITOS are complied with;
- Consent - where the Data subject (or their parent/carer when appropriate e.g. where the client is under the age of 13) has freely given clear consent.
MITOS collects and processes special categories of personal data. Where this is necessary MITOS will also meet one of the special category conditions for processing which are set out in Article 9 of the GDPR. Special category conditions are:
- Substantial public interest - where processing is necessary for reasons of substantial public interest;
- Vital interests - to protect a client where they are unable to give consent e.g. if they are seriously hurt or/and are unconscious;
- Legal claims - where processing is necessary for the establishment, exercise or defence of legal claims. This allows MITOS to share information with their legal advisors and insurers;
- Medical purposes - this includes medical treatment and the management of healthcare services;
- Explicit consent - The Data subject (or their parent/carer when appropriate e.g. where the pupil is under the age of 13) has freely given explicit consent;
- Archiving purposes in the public interest.
MITOS will only collect personal data for specified, explicit and legitimate reasons. The reasons for collecting data is explained to Data Subjects and/or their parent/carer when we first collect their data (usually on employment, admission or if associated with governance for example).
If MITOS wants to use personal data for any other reasons other than those given when we first obtained it, or in subsequent privacy notices, it will inform the individuals concerned, and seek consent where necessary, prior to processing. Staff must only process personal data where it is necessary in order to do their jobs. Personal data that has been processed must be either archived, anonymised or destroyed as soon as possible.
8. Disclosure and Sharing Personal Data
8.1 Third party access to information
Where a request for personal data is made by a third party on behalf of the data subject it shall be treated as a subject access request. Evidence is required that the third party is entitled to act in this way, such as a written statement from the data subject or an enduring power of attorney.
Appropriate professionals may need to be consulted before a decision to release the personal data is made. Occasionally, third party information may form part of the data extracted in response to a subject access request. In deciding whether to release this information, MITOS will consider the following:
- any duty of confidentiality owed to the third party;
- attempts to get consent from the third party;
- any express refusal of consent from the third party;
- the third party’s expectations with respect to that data.
When a request for personal data is made by a third party and not on behalf of the data subject, MITOS shall consider the request under Freedom of Information as well as GDPR. It shall consider whether releasing the personal data would breach any of the Data Protection principles and in particular whether any exemptions under GDPR apply.
Personal information will not be shared with third parties unless specifically allowed for in law and justified in the specific situation. The Freedom of Information policy deals with requests for information about third parties, and information will be withheld where disclosing it would breach any of the Data Protection principles. Where a requester does not state a specific reason for requesting the information then the FOI policy should be followed. When there is a specific reason for requesting the information, an exemption under GDPR may apply.
Examples are where information is required for the prevention or detection of crime, apprehension or prosecution of offenders or assessment or collection of tax. If an appropriate exemption under GDPR does apply so that the Data Protection principles will not be breached, MITOS will usually comply with the request. However, without a Court Order there is no obligation on MITOS to disclose the information. Where MITOS is not convinced that the third party has entitlement to the personal data, or that any exemptions under GDPR apply, and that releasing information would breach the Data Protection principles, the personal data will be withheld and only released on presentation of a Court Order.
8.2 Information sharing
MITOS promotes information sharing where it is in the best interests of the data subject. However, personal sensitive data will not be shared unless it is in connection with the primary purpose for which the information was collected, or the data subject has explicitly given their permission for the information to be shared for this purpose, or another legal provision (GDPR exemption exists) to allow the sharing of such information. MITOS will ensure that supporting processes and documentation are made available to professionals so that they understand how to share information safely and lawfully. Where an employee acting in good faith, has shared information in accordance with these supporting processes and guidance, they shall not normally be subject to disciplinary action. Sharing large sets of information, or recurrent regular sharing shall be carried out under written agreement to ensure the continued compliance with the GDPR and that additional safeguards can be considered and put in place.
8.3 Contractual and partnership arrangements
When MITOS enters contractual or partnership arrangements which involve the processing of personal data, a written agreement will specify which party is data controller or whether there are joint data controller arrangements. Where a third party is processing personal data and information on behalf of MITOS, a written contract will be put in place.
Specific care will be taken in respect of services provided online and via ‘the cloud’. Where MITOS remains as data controller, it will take steps to ensure that the processing by its contractors and subcontractors will comply with GDPR. Contractors will not be able to sub-contract Data Processing without the explicit written permission of MITOS. Staff will take reasonable steps to ensure that data processing by third parties is regularly monitored to ensure GDPR requirements are being met. Where the parties are data controllers jointly or in common, MITOS will liaise with the other party to ensure that all processing complies with GDPR. The responsibilities of each data controller should be expressly and clearly laid out.
All contractors who are users of personal information supplied by MITOS will be required to confirm that they will abide by the requirements of the Regulation to the same standard as MITOS with regard to information supplied by MITOS. Staff should obtain advice from the Directors as necessary. All contractors, consultants, partners or agents of MITOS must ensure that they and all of their staff who have access to personal data held or processed for or on behalf of MITOS, are aware of this policy and are fully trained in and are aware of their duties and responsibilities under the Regulation. Any breach of any provision of the Regulation will be deemed as being a breach of the contract between MITOS and that individual, company, partner or firm. MITOS shall take reasonable steps to ensure regular monitoring of contracts and specifically the security of data being processed on its behalf.
Any observed or suspected security incidents or security concerns should be reported to MITOS. All contractors, consultants, partners or agents must allow data protection audits of data held on its behalf if requested in line with these contractual arrangements. NB: It is expected that all contractors, consultants, partners or agents must indemnify MITOS against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation.
9. Subject Access Request
All Subject Access Requests (SAR) or enquiries about accessing personal data should be referred to the DPO in the first instance. A SAR, is a written request for personal data held by MITOS about an individual, or Data subject.
Generally, individuals have the right to see what personal data MITOS holds about them and are entitled to be given a description of the information, what it is used for, who it is shared with and how MITOS protects, stores and destroys the individual’s personal data.
Checking of Identity
On receipt of a SAR the DPO will need to establish the requestor’s identity to ensure that information is not accidentally shared with another person. It may be necessary therefore, to ask the requestor to provide documents to evidence their identity.
9.1 Children and subject access requests
Children under the age of 13 are generally not regarded to be mature enough to understand their rights and the implications of a subject access request. Therefore, most subject access requests from parents/carers of clients under the age of 13 may be granted without the express permission of the client.
If a Subject Access Request is received from a parent/carer of a child aged between 13 and 16, the DPO will need to consider whether the child can provide their consent to the parent/carer acting on their behalf. The DPO will also consider whether the child understands why the Subject Access Request is being made and whether they are able to understand the information that they will receive. If a Subject Access Request is made for a child over the age of 16, the child will be required to give consent.
If the person requesting the information is a representative of the Data Subject then the representative must supply proof of the Data Subject’s consent for the release of their personal data, or an explanation of why they are entitled to make the request. An individual appointed to act for someone under the Mental Capacity Act 2005 must confirm their capacity to act on the Data Subject’s behalf and explain how they are entitled to access the information.
9.2 Rights of data subjects to access personal data
GDPR states an individual, or Data Subject, has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her is being processed. Where that is the case, the Data Subject is entitled to make a written request to access their personal data and ascertain the following:
- categories of their personal data processed;
- purposes of the processing of their personal data;
- recipients, or categories of recipients, to whom their personal data has or will be disclosed;
- period for which their personal data may be stored;
- where their personal data has not been collected directly from the Data subject, any available information as to the source of that data;
- the existence of any automated decision making and information about that decision making;
- If personal data is transferred to a third country or to an international organisation the Data subject is entitled to be informed about the appropriate safeguards which have been made relating to the transfer.
The Data Subject also has the right to request a Data Controller to rectify incorrect personal data, and in some circumstances the Data Subject may be able to object to and restrict processing of personal data or ask for its erasure. Data Subjects have the right to lodge a complaint with the ICO. Data Subjects include all staff and clients of MITOS and any other person about whom MITOS holds and processes personal data (third parties).
9.3 Opt out rights
MITOS may not always seek the consent of data subjects when processing personal data, for example, when processing for normal business purposes or when the information is already in the public domain. If any person has good reason for wishing their details to remain confidential in any such instance, they should contact the Data Protection Officer.
10. Validation and collation of information
An individual is only entitled to personal data about themself. Therefore, if the personal data includes information about someone else, MITOS will need to redact the information about a third party before supplying the personal data to the individual making the subject access request; in some cases it may not be possible to supply such data and MITOS may be able to decline to providing the data.
If responding to a Subject Access Request may involve providing information which relates to the individual and in doing so include a third party, then MITOS does not have to comply with the request if it would mean disclosing material about the other individual. Material qualifies as third party information either if the other person can be identified as the source of the information, or if they are just included in it e.g. as a witness. However, third party material is not automatically excluded and MITOS would be able to provide the information about another other person if:
- that person has given their consent;
- it is reasonable to go ahead without their consent.
In deciding whether it is reasonable to go ahead without consent, the DPO would take account of:
- any duty of confidentiality MITOS owes to the other person;
- anything that MITOS has done to try and get their consent;
- whether they are able to give consent;
- whether they have refused consent.
Before sharing any information that relates to third parties, MITOS will where possible, anonymise information that identifies third parties not already known to the individual (e.g. employees), and redact information that might affect the third parties privacy. MITOS may also summarise information rather than provide a copy of the whole document. GDPR requires the Data Controller to provide personal information not documents.
Information that is subject to legal professional privilege may be held back – this protects communications between lawyers and their clients for the purposes of giving or obtaining legal advice and communications between lawyers, clients and third parties made for the purposes of litigation, either actual or contemplated.
11. Responsibilities and Penalties
11.1 Persons who process personal data on behalf of MITOS
Anyone who processes (stores or uses) personal data on behalf of MITOS has a responsibility to ensure that the Data Protection Principles are observed. Detailed advice on how to achieve this is given in the Data Protection Policy Guidelines, which summarise detailed guidance from the Office of the Information Commissioner or the JISC Code of Practice.
11.1.1 Staff
Staff who, as part of their responsibilities, process personal information about other people (for example, about clients’ work, personal circumstances of other members of staff or research data from human subjects), must comply with this Data Protection Policy.
11.1.2 Others working for and on behalf of MITOS
Others working for and on behalf of MITOS (usually called third parties), who handle personal data in connection with MITOS should operate in accordance with the DPA and details of any such processing should be subject to written agreements between MITOS and the third party. Such third parties include external supervisors, suppliers or customers.
11.2 Persons who provide personal data to MITOS
Everyone who provides personal data to MITOS is responsible for ensuring adherence to the Data Protection Principles, especially with regard to accuracy and, in the case of third parties providing the personal data of others, the right to disclose this personal data.
11.3 Penalties
It is a criminal offence to access personal data held by MITOS for anything other than MITOS business, or to procure the disclosure of personal data to a third party. It is a further offence to sell such data. Employees who access or use personal data held by MITOS for their own purposes will be in breach of relevant policies, including but not limited to, the Employee Handbook and subject to disciplinary action, which could include dismissal.
12. Data Quality, Integrity and Retention
- Personal data held will be relevant to the stated purpose and adequate but not excessive.
- MITOS will ensure, as far as is practicable, that the information held is accurate and up-to-date.
- If personal data is found to be inaccurate, this will be remedied as soon as possible.
- Personal information, such as contact details, may be shared within MITOS where it is necessary to keep records accurate and up-to-date, and in order to provide individuals with a better service.
- Records may include professional opinions about individuals but employees will not record any personal opinions about individuals.
- Information will only be held for as long as is necessary after which the details will normally be deleted. Where details of individuals are stored for long-term archive or historical reasons, and where it is necessary to retain the personal detail within the records, it will be done within the requirements of the legislation.
- Redundant personal data will be destroyed using the procedure for disposal of confidential waste and in accordance with retention schedules.
13. Security
Any inappropriate, unauthorised access of data, use or misuse of data or failure to comply with ICT security arrangements and policies may result in disciplinary action, including dismissal.
MITOS will implement appropriate technical and organisational security measures so that unauthorised staff and other individuals are prevented from gaining access to personal information.
An employee must only access personal data they need to use as part of their job.
Inappropriate or unauthorised access may result in disciplinary action, including dismissal and criminal prosecution.
All staff will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. All data breaches (however minor) should be reported to the DPO. Details of the breach must be logged.
Manual files and other records or documents containing personal/sensitive data will be kept in a secure environment and accessed on a need-to-know basis only. Personal data held on computers and computer systems will be installed with user-profile type password controls, encryption and where necessary, audit and access trails to establish that each user is fully authorised.
Personal data should not be held on unencrypted electronic devices. Security arrangements will be reviewed regularly, any reported breaches or potential weaknesses will be investigated and, where necessary, further or alternative measures will be introduced to secure the data.
Access to personal data outside of the MITOS Office should not be attempted using unsecured access systems (this includes via mobile networks outside of UK unless the network has been checked in advance to be compliant under data protection law). System testing will only be carried out using personal data where sufficient safeguards are in place and will not be undertaken on live databases accessing live personal sensitive data.
Personal data will not be transferred outside the European Economic Area without the approval of the data controller. If in doubt, contact the DPO before any data is transferred.
13.1 Paper-based records
Paper-based records that contain personal data must:
- be kept in a secure locked cupboard/office when not in use;
- not be left unattended on office desks;
- not be pinned to notice/display boards in areas;
- not be stored, or left, in any areas where anywhere clients, parents/carers or visitors will be left unattended.
Where documents containing personal information need to be taken off site, staff must ensure that documents are not left unattended at any time and are returned to secure storage at the MITOS’ premises at the earliest possible opportunity.
13.2 Electronic records that contain personal data
Electronic records that contain personal data must:
- only be viewed on devices that are protected by strong passwords, automatic screen locking and up to date security software;
- not be downloaded onto portable storage devices and/or personal devices. The use of removable media such as USB is not allowed.
Documents and folders that contain personal data should only be sent or shared:
- as a link to a Outlook document which has appropriate sharing and security rights;
- as an encrypted, or password protected, attachment if sent externally;
- If an external agency requests that data is sent in an unencrypted manner (e.g. the school of a client), this MUST be discussed with the DPO before data is sent.
Documents should be only viewed and not downloaded to personal devices. Security settings on Outlook documents can be set to restrict downloading and printing of documents as required.
14. Subject Access Requests and Data Protection Complaints
Subject access requests and data protection complaints should be addressed to: Ms. Marie El-Khazen (complaints@mitos.org.uk)
The application will be acknowledged in writing. Once any queries around the information requested and identification have been resolved MITOS will normally have 30 days to respond to the request.
Where the Subject Access Request was made by electronic means, and unless the Data subject requests otherwise, the information will be provided in a commonly used electronic form. Where this it is impossible, or where it would involve undue effort, to complete a data request, an alternative would be to allow the requestor to view the information on screen at MITOS’ premises. Information will not be disclosed by fax or telephone. Disclosure by post is usually made by first class post to the address provided or, if appropriate, to a named representative.
Complaints will be dealt with in accordance with this policy.
Individuals have a right to request that the Information Commissioner make an assessment of compliance of particular circumstances with the General Data Protection Regulation. If individuals are not happy about how MITOS have handled their information they can contact the ICO via the following means: Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Alternatively visit their website - www.ico.gov.uk or contact them by phone on 03031231113.
MITOS will respond promptly and fully, to any request for information about data protection compliance made by the Information Commissioner. MITOS will comply with any Information Commissioner Information Notice (to provide answers and information to the Commissioner) or Enforcement Notice (for failure to provide answers or information or for a breach of the Act) sent by the Information Commissioner. The Commissioner can also carry out audits, prosecute individuals and organisations and report concerns to Parliament.
15. Other data protection rights of the individualIn addition to the right to make a subject access request individuals also have the right to:
- withdraw their consent to processing at any time (in certain circumstances);
- rectify, erase or restrict processing of their personal data, or object to the processing of it (in certain circumstances);
- prevent use of their personal data for direct marketing;
- challenge processing which has been justified on the basis of public interest
- request a copy of agreements under which their personal data is transferred outside of the European Economic Area;
- object to decisions based solely on automated decision making or profiling (decisions taken with no human involvement, that might negatively affect them);
- prevent processing that is likely to cause damage or distress;
- be notified of a data breach in certain circumstances;
- make a complaint to the ICO;
- ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format (in certain circumstances). Individuals should submit any request to exercise these rights to the DPO. If staff receive such a request, they must immediately forward it to the DPO.
Personal data that is no longer needed must be disposed of securely. Personal data that has become inaccurate, or out of date, will also be disposed of securely where it cannot or does not need to be rectified or updated. Staff who are responsible for archiving client and staff files (electronic and paper) must familiarise themselves with the MITOS’ Data Retention Guidelines before disposing of any personal data.
In exceptional circumstances it may be necessary to retain data beyond the retention period. This may be in response to MITOS receiving notification of legal proceedings or legal action (or potential legal action), government or regulatory investigation or complaints or claim against or involving MITOS.
In the event of such an occurrence the data should be flagged with the DPO and all relevant date retained and flagged with “DO NOT DESTROY THIS DATA”. If there is any doubt over whether data should be retained or destroyed then the DPO should be consulted. Where it is then agreed that personal data has reached the end of the retention period, and does not need to be kept for any of the exceptional circumstances detailed as above, it should be destroyed by the following method:
- Electronic files and emails containing personal data must be reviewed regularly. If the personal information is no longer required, and does not need to be retained, it should be deleted. If the information needs to be retained it should be attached electronically to MITOS Database or archived according to the retention guidelines;
- Paper based records containing personal data must be disposed of in the confidential shredding bins;
- Printer films and tapes containing personal data will be placed in a sealed envelope and stored in a secure locked cupboard/safe for disposal with the contractor responsible for confidential shredding bins. A separate certificate will be issued for their disposal.
- Defunct IT hardware containing personal data will be disposed of by a specialist IT disposal contractor, a certificate will be required to prove correct disposal.
- Hard drives, which have been removed and stored for reuse, will have any data erased be before being moved to secure locked storage.
- Backup tapes, if used, containing personal data will be deleted, or overwritten, when the stored data has reached the end of its retention period.
17. Data Breach
17.1 Definitions / Types of breach
Data security breaches include both confirmed and suspected incidents. An incident in the context of this policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to MITOS’ information assets and / or reputation.
An incident includes but is not restricted to, the following:
- loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad / tablet device, or paper record);
- equipment theft or failure;
- system failure;
- unauthorised use of, access to or modification of data or information systems;
- attempts (failed or successful) to gain unauthorised access to information or IT system(s);
- unauthorised disclosure of sensitive / confidential data;
- website defacement;
- hacking attack;
- unforeseen circumstances such as a fire or flood;
- human error;
- ‘blagging’ offences where information is obtained by deceiving the organisation who holds it.
17.2 Reporting an incident
Any individual who accesses, uses or manages the information systems run by MITOS is responsible for reporting data breach and information security incidents immediately to the Data Protection Officer. This report should be both verbally and in writing.
If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable. The report must include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved.
All staff should be aware that any breach of Data Protection legislation may result in the MITOS’ Disciplinary Procedures being instigated
17.3 Containment and recovery
The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach. An initial assessment will be made by the DPO in liaison with other relevant staff to establish the severity of the breach and who will take the lead investigating the breach, as the Lead Investigation Officer (this will depend on the nature of the breach; in some cases it could be the DPO). The Lead Investigation Officer (LIO) will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause. The LIO will establish who may need to be notified as part of the initial containment and will inform the police, where appropriate. Advice from experts may be sought in resolving the incident promptly. The LIO, in liaison with the relevant staff will determine the suitable course of action to be taken to ensure a resolution to the incident.
17.4 Investigation and risk assessment
An investigation will be undertaken by the LIO immediately and wherever possible, within 24 hours of the breach being discovered / reported. The LIO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur. The investigation will need to take into account the following:
- the type of data involved;
- its sensitivity;
- the protections are in place (e.g. encryptions);
- what has happened to the data (e.g. has it been lost or stolen;
- whether the data could be put to any illegal or inappropriate use;
- Data Subject(s) affected by the breach, number of individuals involved and the potential effects on those Data Subject(s);
- whether there are wider consequences to the breach.
17.5 Notification
The LIO and / or the DPO, in consultation with relevant colleagues will establish whether the Information Commissioner’s Office will need to be notified of the breach, and if so, notify them within 72 hours of becoming aware of the breach, where feasible.
Every incident will be assessed on a case by case basis; however, the following will need to be considered:
- whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms under Data Protection legislation[1] ;
- whether notification would assist the individual(s) affected (e.g. could they act on the information to mitigate risks?);
- whether notification would help prevent the unauthorised or unlawful use of personal data;
- whether there are any legal / contractual notification requirements;
- the dangers of over notifying.
17.6 Evaluation and response
Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken. Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring. The review will consider:
- where and how personal data is held and where and how it is stored;
- where the biggest risks lie including identifying potential weak points within existing security measures;
- whether methods of transmission are secure; sharing minimum amount of data necessary;
- staff awareness;
- implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security.
- If deemed necessary, a report recommending any changes to systems, policies and procedures will be considered by the Directors.
17.7 Policy Review
This policy will be updated as necessary to reflect best practice and to ensure compliance with any changes or amendments to relevant legislation.
18. ImplementationMITOS will ensure that:
- Everyone managing and/or handling personal information understands that they are contractually responsible for following good data protection practice.
- Everyone managing and/or handling personal information is appropriately trained to do so.
- Everyone managing and/or handling personal information is appropriately supervised.
- Anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, is given advice as necessary.
- Queries about handling personal information are promptly and courteously dealt with.
- Methods of handling personal information are regularly assessed and evaluated.
- Performance with handling personal information is regularly assessed and evaluated.
- Employees are aware of the action required in the event of a Data Breach.
On joining MITOS, employees are required to undertake training on Data Protection and ICT Security as part of their induction. They will not be allowed to use the network until successfully completing the training.
The Data Protection Officer works with teams to maintain the on-going programme of training and awareness to maintain a high level of understanding of Data Protection and security among all staff and to communicate any legal or policy changes that occur.
Cookie Policy
This website, www.mitos.work (the "Website"), is operated by MITOS Global Limited.
What are cookies?
Cookies are a small text files that are stored in your web browser that allows MITOS or a third party to recognise you. Cookies can be used to collect, store and share bits of information about your activities across MITOS website.
Cookies might be used for the following purposes:
- To enable certain functions
- To provide analytics
- To store your preferences
- To enable ad delivery and behavioural advertising
MITOS uses both session cookies and persistent cookies.
A session cookie is used to identify a particular visit to our Website. These cookies expire after a short time, or when you close your web browser after using our Website. We use these cookies to identify you during a single browsing session, such as when you log into our Website.
A persistent cookie will remain on your devices for a set period of time specified in the cookie. We use these cookies where we need to identify you over a longer period of time. For example, we would use a persistent cookie if you asked that we keep you signed in.
How do third parties use cookies on the MITOS Website?
Third party companies like analytics companies and ad networks generally use cookies to collect user information on an anonymous basis. They may use that information to build a profile of your activities on the MITOS Website and other websites that you've visited.
What are your cookies options?
If you don't like the idea of cookies or certain types of cookies, you can change your browser's settings to delete cookies that have already been set and to not accept new cookies. To learn more about how to do this, visit the help pages of your browser.
Please note, however, that if you delete cookies or do not accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.
Policy Review
We are committed to reviewing our policy and best practice annually.
Reviewed on: 30 September 2024
Signed: Marie El-Khazen (Director)
Review Date: 30 September 2025