Page 68 - EQA Employee Handbook
P. 68
fee. The data subject is advised of their right of complaint to the Data Protection
Commissioner with regards to this refusal of data access.
Upon acceptance of the fee, and confirmation of payment, the response to the data access
request is agreed with the data subject. Fulfilment of this data access request shall be
completed no later than 90 days after receipt of the initial data access request. This shall be
communicated to the data subject, including advice regarding their right of complaint to the
Data Protection Commissioner.
7.7 Data Breaches
7.7.1. Data breaches are categorised into the following three types:
7.7.1.1. A confidentiality breach is where there is an unauthorised or accidental disclosure of,
or access to, personal data. (For example, emailing personal data to the wrong group of
individuals, or giving access to third parties without a legal basis for doing so.)
7.7.1.2. An availability breach is where there is unauthorised access to, or destruction of,
personal data. (For example, an infection of ransomware, or misapplying a data retention
policy and erroneously deleting information.)
7.7.1.3. An integrity breach is where there is an unauthorised or accidental alteration of
personal data.
7.7.2. Where a data breach has occurred in relation to any of the above categories, the breach shall
be reported immediately to the Chief Executive or, in his place, to at least one other member of senior
management. Where the data breach occurs under the remit of a data processor, the immediacy of
notification shall be as defined within the relevant contract and/or data processor agreement.
7.7.3. Upon notification of the data breach, the Chief Executive and/or the member(s) of senior
management shall review the data breach by completing the ‘Data Breach Risk Assessment Form’ and
determine the following:
7.7.3.1. If a data breach has occurred, where the personal data is not in a form that is
anonymised or encrypted, that breach shall be reported to the Data Protection Commissioner
without undue delay and within 72 hours of its occurrence.
7.7.3.2. If a data breach is likely to bring harm to an individual, including the data subject (such
as identity theft or confidentiality breach), this breach shall be reported to the individual(s)
concerned. In terms of the data subject, this communication shall not be required if any of the
following conditions are met:
• EQA (Ireland) has ensured encryption or some other form of protection where the data
has been rendered unintelligible;
• EQA (Ireland) has ensured that the high risk to the rights and freedoms of data subjects is
no longer likely to materialise;
• Communication would involve disproportionate effort, and a public communication or
similar would inform data subjects in an equally effective manner.
7.7.4. Where the Data Protection Commissioner is to be notified, the initial correspondence from EQA
(Ireland) to the Data Protection Commissioner shall, at least:
• Describe the nature of the personal data breach including where possible, the categories and
approximate number of data subjects concerned and the categories and approximate number
of personal data records concerned;
• Communicate the name and contact details of the contact point where more information can
be obtained;
• Describe the likely consequences of the personal data breach;
• Describe the measures taken or proposed to be taken by the controller to address the
personal data breach, including, where appropriate, measures to mitigate its possible adverse
effects.
Page 67 of 79
