PROCEDURE FOR ACTION IN THE EVENT OF A PERSONAL DATA BREACH
AT "PRIVATE KINDERGARTEN TUTI 2011" 00D
The procedure has been developed to support the activities of "Private Kindergarten Tutti 2011" Ltd. in responding to personal data security breaches.
1. Terminology clarifications – for the purposes of this procedure:
1.1. "Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed (Article 4(12) of Regulation (EU) 2016/679).
1.2. "Destruction" occurs when personal data is no longer available or no longer available in a form that the controller can use.
1.3. "Damage" occurs when personal data is altered, falsified, or rendered incomplete.
1.4. "Loss" is a situation where the data may still be available, but the controller has lost control or access to it, or it is no longer in its possession.
1.5. "Unauthorized disclosure" is the disclosure of personal data to or provision of access to recipients who are not authorized to receive or access it.
2. Signs of a personal data security breach
2.1. Upon establishing signs of a personal data breach, every employee of "Private Kindergarten Tutti 2011" Ltd. is obliged to immediately inform their immediate supervisor, the data protection officer, and the director of the kindergarten/school.
2.2. Signs of security breaches may include: indicators from physical protection systems, loss of documents containing personal data or personal data carriers, inaccessibility of information systems in which personal data is processed, and other similar situations in which there is a likelihood of destruction, damage, loss, or unauthorized access to personal data.
3. Determining the nature of the breach
3.1. The data protection officer shall assess whether there has been a personal data breach and, if so, its nature.
3.2. Personal data security breaches are categorized into the following types, as well as any combination thereof:
• breach of confidentiality – when there is unauthorized or accidental disclosure of or access to personal data;
• breach of integrity – when there is unauthorized or accidental alteration of personal data;
• availability breach – when there is unauthorized or accidental loss of access to or destruction of personal data. Loss of availability for a certain period of time is also a type of breach if it could have a significant impact on the rights and freedoms of individuals.
The nature of the breach shall be taken into account when implementing measures to address the consequences of the personal data breach.
3.3. The data protection officer's assessment shall be provided to the kindergarten director as soon as possible.
4. Analysis of the risk of the breach to the rights and freedoms of individuals
The risk is defined as the possibility of material or non-material damage to the data subject under certain conditions, assessed in terms of its severity and likelihood.
When determining the likelihood and severity of the risk, the following circumstances shall be taken into account:
1. the nature of the data subject to the security breach – the risk may vary depending on whether the data subject to the breach is "ordinary" or special categories, or data related to convictions and offences. The risk is expected to be higher for special categories of personal data and for personal data related to convictions and offenses.
2. Scope of the breach – what proportion of the personal data processed is affected; does the personal data affected represent a significant volume at regional, national, or supranational level; could the scope of the breach increase in scale over time?
3. Context of the processing – determining the circumstances in which the personal data is processed, e.g. in the employment context, processing for statistical research, whether there is cross-border movement of personal data, whether it has been transferred outside the European Union, which may make it difficult for individuals to exercise their data protection rights.
4. Purpose of the processing – taking into account the original purposes for which the data was collected, but also any other compatible subsequent purposes for which the data has been used. The risk analysis should take into account the potential impact on the rights and freedoms of data subjects when processing all purposes of the processing.
5. nature of the breach – categorization of whether the breach affects the confidentiality, integrity, or availability of personal data, or a combination thereof.
6. Ease of identification of natural persons – the risk increases if, based on the personal data affected by the breach, natural persons are identified or can be easily identified, and is excluded if the persons cannot be identified.
7. Severity of the consequences for the individuals concerned – this is assessed as a combination of the likelihood of harmful consequences occurring (low, medium, high) and their severity, determined according to the rights and freedoms affected.
8. Special characteristics of the individuals concerned – it is examined whether the group of individuals concerned consists of vulnerable groups, such as children, employees, and others, taking into account the specificities of the case.
9. Approximate number of individuals affected – determined as a total number and, where possible, differentiated according to the nature of the breach.
10. Approximate number of personal data records affected – indicative of the scope of the breach.
There is a risk of a personal data breach when the controller is unable to comply with the principles relating to the processing of personal data – lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability.
There is a high risk of a personal data breach when physical, material, or non-material damage may be caused to the individuals concerned, such as loss of control over their personal data or restriction of their rights, discrimination, identity theft or fraud, financial loss, unauthorised removal of pseudonymisation, damage to reputation, breach of confidentiality of personal data protected by professional secrecy, or any other significant economic or social disadvantage to the individuals concerned.
High risk may result from the vulnerability of the individuals whose data are being processed, such as children, or from the volume of personal data and the impact on a large number of data subjects.
For the objectivity of the analysis, the Recommendations for a methodology of the assessment of severity of personal data breaches of the European Union Agency for Cybersecurity (European Union Agency for Cybersecurity, ENISA), part of which is contained in Annex 1 to this procedure.
The controller or data protection officer shall document the analysis of the severity of the breach and the risks it poses, in accordance with the principle of accountability.
5. Taking measures to limit the adverse effects
Depending on the type of personal data breach, measures shall be taken to limit its adverse effects in the following areas:
• in the event of a breach of confidentiality: immediate cessation of unauthorised access to personal data; deletion of personal data in all unauthorised publications, including requests for removal from cached versions of web pages where they have been published; encryption of personal data when sending it; notification of the prosecutor's office and the police if the act constitutes a crime; temporary suspension of access to the electronic service that is the subject of the breach; other preventive or follow-up measures;
• in case of a breach of integrity: restoring the data to its state prior to the unauthorised or accidental change; determining whether inaccurate data has been transmitted to recipients; notifying recipients to correct the data; other preventive or follow-up measures.
• in the event of a breach of availability: determining whether the unauthorised or accidental loss of access to personal data is for a limited period of time or permanent; restoring personal data from backups or other sources; determining whether there is a negative impact on the rights and freedoms of the individuals concerned by the loss of availability; other preventive or subsequent measures.
If it is not possible to identify appropriate measures to address the personal data breach, the supervisory authority shall be notified immediately.
6. Notification of the supervisory authority of a personal data breach
Pursuant to Article 33 of Regulation (EU) 2016/679, the controller shall notify the supervisory authority – for the Republic of Bulgaria, the Commission for Personal Data Protection, address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., email kzld@cpdp.bg, website www.cpdp.bg. The obligation to notify the supervisory authority applies if there is a likelihood that the personal data breach will result in a risk to the rights and freedoms of natural persons.
Regardless of the level of risk, it must be identified. Regardless of the level of risk, it must be identified. For example, there will be no risk, and therefore no requirement to notify the supervisory authority, if a flash drive containing encrypted data is stolen/lost and the unique code has not been disclosed. If the code is disclosed later, notification is mandatory. No notification is required in the event of a short-term loss of availability, for example in the event of a power failure, but such an incident must be recorded in the personal data security breach register.
The supervisory authority shall be notified without undue delay and, where possible, no later than 72 hours after becoming aware of the breach. If no measures can be taken to mitigate the adverse effects, the supervisory authority shall be notified immediately.
The information to the supervisory authority shall include:
(a) a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) the name and contact details of the data protection officer or other contact point from which more information can be obtained;
c) a description of the possible consequences of the personal data breach;
d) a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
If the notification is submitted after the expiry of the 72-hour period from becoming aware of the breach, it must also contain the reasons for the delay.
Regulation (EU) 2016/679 allows the information in the notification to be submitted in stages when and to the extent that it is not possible to provide it simultaneously. Staggered notification is likely to apply in more complex incidents where it is not possible to fully clarify the circumstances within the notification deadline.
7. Communication to data subjects affected by the breach
Communication to data subjects affected by the security breach is required where the breach is likely to result in a high risk to the rights and freedoms of natural persons.
There is no deadline for notifying the data subject of the breach, but this should be done when reasonably practicable and in close cooperation with the supervisory authority, following its guidance.
The notification should be in clear and plain language and contain:
• a description of the nature of the personal data breach;
• the name and contact details of the data protection officer or other contact point from which more information can be obtained;
• a description of the possible consequences of the breach;
• a description of the measures taken or proposed by the controller to address the breach and mitigate any possible adverse effects.
Article 34(3) of Regulation (EU) 2017/679 lists three alternative conditions under which notification of the breach to the data subject is not required:
• the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
• the controller has subsequently taken measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
• the communication would involve disproportionate effort, in which case the Regulation requires a public communication or other similar measure to be taken so that data subjects are informed in an equally effective manner.
If the controller decides to invoke any of these conditions, it must be able to demonstrate to the supervisory authority that the relevant conditions are met. In view of this, it is advisable to document the circumstances that served as the basis for not communicating the breach to the data subjects concerned.
8. Documentation of the breach
The controller is required to document any personal data breach, regardless of whether it is likely to result in a risk or high risk to the rights and freedoms of natural persons. Regulation (EU) 2016/679 explicitly states the importance of this documentation – to enable the supervisory authority to verify compliance with the requirements of Article 33 of Regulation (EU) 2016/679. To this end, the data protection officer shall promptly complete the register of personal data breaches.
Appendix 1
To point 4 of
Procedure for actions in case of
personal data security breaches
1. Risk level
The severity of a personal data breach in the context of this methodology is defined as "an assessment of the degree of potential impact on individuals as a result of the data breach." Using this methodology, the personal data controller is guided through the process by specific quantitative criteria in order to make a comprehensive assessment. In accordance with the possible notification requirements (under Articles 33 and 34 of Regulation (EU) 2016/679), the risk levels are determined as follows:
1.1. no risk;
1.2. risk;
1.3. high risk.
2. Criteria
The main criteria taken into account when assessing the severity of a personal data breach are:
2.1. data processing context (DC) – Refers to the type of data breached, together with a number of factors related to the overall processing context;
2.2. identifiability of the data subject (IS): Determines how easily the identity of the individuals in the data involved in the breach can be established;
2.3. circumstances of the breach (CB): Refers to the specific circumstances surrounding the breach that are related to the type of breach, including, in particular, the loss of data security and any related malicious intent.
3. Formula for calculating the severity of the risk of a personal data breach
Based on the above criteria, the approach of this methodology is as follows:
3.1. CI is at the heart of the methodology and assesses the criticality of a given data set in a specific processing context;
3.2. VI is a corrective factor for CO. The overall criticality of a personal data breach can be reduced depending on the value of VI. The lower the possibility of identification, the lower the overall assessment. The combination of CI and VI (multiplication) gives the initial result for the severity of the data security breach.
3.3. ON quantitatively determines specific circumstances of the breach that may or may not be present in a given situation. When certain circumstances relating to the breach are present, they can only increase the severity of the specific breach. For this reason, the initial assessment may be further adjusted by the circumstances of the breach.
The risk is calculated using the following formula:
RISK = CO x VI + ON
4. Assessment of criteria
4.1. Assessment of the context of data processing (CP)
The result of the context of processing (CP) is determined in two consecutive steps:
Step 1 – Determination of the baseline assessment of CO - Determination of the types of personal data involved in the breach and their classification into one of four categories: ordinary, behavioral, financial, special categories of personal data.
Step 2 – Assessing the occurrence of certain factors that could increase or decrease the basic result.
If the data belongs to more than one category, it is examined in each of them and the highest result obtained is taken.
When assessing the CO, certain factors that would increase or decrease the risk of the breach should be taken into account:
1) Risk-increasing factors
a) volume of data (the amount of information affected for each individual data subject, taking into account the time period and content) - the volume of data breached (for the same person) may increase the basic result of the CO due to the increase in the amount of information breached (i.e., it acts as an aggravating factor) . Volume should be considered both in terms of time (e.g., the same type of data for a certain period of time) and content (complementary data of the same type). For example, in the case of a data breach of traffic data at an internet service provider, the CO score would be higher (for the same person) if the data covered a period of one year than if it was limited to one week (time). As another example, in the case of a breach at a bank, the PI score for a person's complete file would be higher than that for a single document from the same file (content).
b) characteristics of the controller (in terms of the sector and services they offer);
c) characteristics of natural persons (in terms of coverage of specific groups, e.g., disadvantaged individuals, children, others);
d) key data (some data, when combined with other data, including publicly available information, allow for a complete behavioral profiling of the individual) .
2) Risk-reducing factors
a) Data invalidity/inaccuracy (due to age, inaccuracy, or incompleteness of content) - the main result of the CO for a given data set may be reduced if the invalidity or inaccuracy of the data is known to the controller (e.g. due to their age or content) and thus their significance is reduced. The controller must be certain of this circumstance in order to include it in the assessment.
b) Public availability The main result of the CI for a data set may also be reduced if the compromised data was already publicly available prior to the breach or can be easily collected and/or accessed through publicly available sources.
c) Nature of the data (data of a general evaluative nature without additional data on the content that constitutes it) - another mitigating factor may in some cases be the very nature of a particular data set which, despite its initial impact score, is of lesser significance in terms of the information it may reveal about the individual. This is the case, for example, with a medical certificate that only certifies that the individual is in good health, without revealing any other information. In this case, although the main result will be due to the fact that health data is sensitive data, the final result of the CO for the data set will be 1, as it cannot in itself affect privacy. However, this factor must be considered with great care and a clear explanation of why a particular data processing operation is inherently lower than the main AI result.
4.2. Assessment of the possibility of identifying the data subject (VI)
The possibility of identifying the data subject (VI) assesses how easy it would be for a party with access to the dataset to uniquely match it to a specific person.
For the purposes of this methodology, four levels of ID (negligible, limited, significant, and maximum) are defined with a linear increase in the result. The lowest rating is given when the possibility of identifying the person is negligible, meaning that it is extremely difficult to match the data to a specific person, but it could still be possible under certain conditions. The highest rating is given when identification is possible directly from the data breach, without the need for special research to discover the identity of the person.
When determining the PI, it should be taken into account that identification may be direct (e.g., based on a name) or indirect (e.g., based on an identification number) as a result of the data breach, but may also depend on the specific context of the breach.
The level is also derived from the possibility of combining the acquired data with public data or third-party data, which would allow the identification of the subject.
4.3. Assessment of the circumstances surrounding the security breach (SB)
The circumstances surrounding the breach are assessed based on the type of security breach and its nature (accidental or intentional/malicious). The elements considered in relation to SI are loss of security (confidentiality, integrity, availability) and malicious intent, and complement CO and VI as follows:
1. Confidentiality breach: A confidentiality breach occurs when information is accessed by parties who are not authorized or have no legitimate purpose for accessing it. The degree of breach of confidentiality varies depending on the scope of disclosure, i.e., the potential number and type of parties who may have unlawful access to the information.
2. Integrity breach: An integrity breach occurs when the original information is altered and the replacement of the data could be harmful to the individual. The most serious situation arises when there is a significant possibility that the altered data could be used in a way that could harm the individual.
3. Loss of availability: Loss of availability occurs when the original data cannot be accessed when needed. It can be temporary (the data may be recoverable, but it will take time and this may be detrimental to the individual) or permanent (the data cannot be recovered).
4. Malicious intent: This element examines whether the breach was due to human or technical error, or was caused by deliberate malicious action. Non-malicious breaches include cases of accidental loss, improper destruction, human error, and software error or misconfiguration. Malicious breaches include cases of theft and hacking with the intent to harm individuals (e.g., by disclosing their personal data to unauthorized third parties). In other cases, malicious intent may include transferring personal data to third parties for profit (e.g., selling lists of personal data). In some cases, malicious intent may also be suggested by actions aimed at harming the data controller (e.g., by stealing and disclosing personal data to unauthorized parties). Malicious intent is a factor that increases the likelihood that the data will be used in a harmful way, as this was the original purpose of the breach.
It is possible that more than one of the above circumstances may apply. In such cases, the overall circumstance is equal to the sum of the values of the individual circumstances.
In the event of a breach of the integrity or availability of personal data that cannot be restored due to its uniqueness and is necessary for the exercise of the rights and freedoms of data subjects, the level of risk is directly considered high.
5. Determining the level of risk of a personal data breach
The overall severity of the risk of a breach is calculated using the following formula:
RISK = CO x VI + ON
The final result shows the level of severity of the risk of a breach, taking into account the impact on individuals.
6. Taking specific circumstances into account
Once the severity of the security breach has been determined, it may be accompanied by specific circumstances indicating certain elements of the breach which, although not affecting the outcome a priori, are important for the final assessment. For the purposes of the methodology, two specific circumstances are considered:
6.1. Number of individuals affected by the breach. Data on an individual who is the subject of a breach in the context of a larger incident may potentially be more easily disclosed, while at the same time a large number of individuals affected influences the overall scale of the breach.
6.2. The data is unintelligible. Unintelligibility (when encrypted data is acquired without the decryption key being disclosed) can significantly reduce the impact on individuals, as it greatly reduces the possibility of unauthorized parties accessing the data.
Depending on the results of the risk assessment, the actions provided for in the Procedure for Action in the Event of a Personal Data Breach at "Private Kindergarten Tuti 2011" Ltd. are taken.