This policy sets out the procedures to be followed in the event of a personal data breach to ensure compliance with:
- UK data protection legislation
- Professional obligations (including confidentiality duties)
- Regulatory requirements, including those of the Chartered Institute of Taxation and, where applicable, the Solicitors Regulation Authority
This policy applies to all staff, consultants and contractors.
A personal data breach is defined as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
A breach arising from failure to implement appropriate technical or organisational safeguards.
Examples include:
- Sending personal data without encryption or password protection
- Failure to verify identity before disclosure
- Leaving confidential information unattended (clear desk failure)
- Loss of devices containing unencrypted data
A breach involving unauthorised access, disclosure, or loss of personal data.
Examples include:
- Data accessed by unauthorised individuals
- Loss or theft of devices or files
- Cyber incidents (e.g. hacking, phishing, malware)
- Incorrect recipient disclosures (e.g. email errors)
- Social engineering or impersonation attacks
- The firm’s Data Controller / Compliance Officer is responsible for oversight of breach management.
- All staff are responsible for immediately reporting suspected or actual breaches.
- Failure to report a breach may result in disciplinary action.
All breaches or suspected breaches must be reported immediately to the Data Controller or designated Compliance Officer.
Reports should include:
- Nature of the breach
- Type of data involved
- Individuals affected
- How the breach occurred
- Any immediate actions taken
Upon notification, we will:
- Stop or limit further data loss
- Secure systems and recover data where possible
We will assess:
- The type and sensitivity of the data
- The number of individuals affected
- The potential harm (e.g. financial, reputational, confidentiality)
- Whether data has been accessed or merely exposed
- Attempt to recover data or secure deletion
- Notify unintended recipients with appropriate instructions
- Provide guidance to affected individuals where necessary
- Identify root cause
- Review systems, controls and procedures
- Implement corrective measures
All breaches (including near misses) will be recorded in a Data Breach Register, including:
- Facts of the breach
- Effects
- Remedial actions taken
We will notify the Information Commissioner's Office without undue delay and within 72 hours where a breach is likely to result in a risk to individuals’ rights and freedoms.
If notification is delayed, reasons will be documented.
Affected individuals will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
Notifications will include:
- Nature of the breach
- Likely consequences
- Steps taken
- Recommended actions
Where relevant, we will consider obligations to notify:
- The Solicitors Regulation Authority (where legal services are impacted)
- The Chartered Institute of Taxation (where professional conduct obligations arise)
- Security Incident: A threat or event (e.g. malware, attempted attack) that may not involve personal data
- Data Breach: Confirmed compromise, loss or unauthorised access to personal data
All incidents must be reported, but only qualifying breaches trigger regulatory notification.
We maintain strict confidentiality obligations. Personal data will only be shared:
- Where necessary to provide services
- With authorised processors or advisers
- Where required by law or regulation
All sharing must comply with data protection law and professional obligations.
We implement appropriate technical and organisational measures, including:
- Encryption and secure communication protocols
- Access controls and authentication
- Secure storage and restricted access
- Staff training and awareness
- Clear desk and secure disposal policies
All staff receive regular training on:
- Data protection obligations
- Recognising and reporting breaches
- Cybersecurity risks (including phishing and social engineering)
This policy will be reviewed regularly and updated as required to reflect:
- Legal developments
- Regulatory guidance
- Changes in business operations
