Page 73 - EQA Employee Handbook Feb 2020 v1
P. 73
Upon calculation of the chargeable fee, the data subject is sent a communication - within 30 days of
the initial request – advising them of the withholding of a response, subject to receipt of this fee. The
communication shall include a detailed explanation of the reason(s) for this
fee. The data subject is advised of their right of complaint to the Data Protection Commissioner with
regards to this refusal of data access.
Upon acceptance of the fee, and confirmation of payment, the response to the data access request is
agreed with the data subject. Fulfilment of this data access request shall be completed no later than
90 days after receipt of the initial data access request. This shall be communicated to the data subject,
including advice regarding their right of complaint to the Data Protection Commissioner.
7.7 Data Breaches
Data breaches are categorised into the following three types:
• A confidentiality breach is where there is an unauthorised or accidental disclosure of, or
access to, personal data. (For example, emailing personal data to the wrong group of
individuals, or giving access to third parties without a legal basis for doing so.)
• An availability breach is where there is unauthorised access to, or destruction of, personal
data. (For example, an infection of ransomware, or misapplying a data retention policy and
erroneously deleting information.)
• An integrity breach is where there is an unauthorised or accidental alteration of personal
data.
• Where a data breach has occurred in relation to any of the above categories, the breach shall
be reported immediately to the Chief Executive or, in his place, to at least one other member
of senior management. Where the data breach occurs under the remit of a data processor,
the immediacy of notification shall be as defined within the relevant contract and/or data
processor agreement.
• Upon notification of the data breach, the Chief Executive and/or the member(s) of senior
management shall review the data breach by completing the ‘Data Breach Risk Assessment
Form’ and determine the following:
• If a data breach has occurred, where the personal data is not in a form that is anonymised or
encrypted, that breach shall be reported to the Data Protection Commissioner without undue
delay and within 72 hours of its occurrence.
• If a data breach is likely to bring harm to an individual, including the data subject (such as
identity theft or confidentiality breach), this breach shall be reported to the individual(s)
concerned. In terms of the data subject, this communication shall not be required if any of the
following conditions are met:
• EQA (Ireland) has ensured encryption or some other form of protection where the data
has been rendered unintelligible;
• EQA (Ireland) has ensured that the high risk to the rights and freedoms of data subjects is
no longer likely to materialise;
• Communication would involve disproportionate effort, and a public communication or
similar would inform data subjects in an equally effective manner.
• Where the Data Protection Commissioner is to be notified, the initial correspondence from EQA
(Ireland) to the Data Protection Commissioner shall, at least:
• Describe the nature of the personal data breach including where possible, the categories and
approximate number of data subjects concerned and the categories and approximate number
of personal data records concerned;
• Communicate the name and contact details of the contact point where more information can
be obtained;
• Describe the likely consequences of the personal data breach;
• Describe the measures taken or proposed to be taken by the controller to address the
personal data breach, including, where appropriate, measures to mitigate its possible adverse
effects.
Page 72 of 85
