Data Breach Policy

About this Policy

Neurocheckpro Limited ("we", "us" or "Neurocheck") complies with law and regulations relating to the privacy and protection of personal data and takes these obligations seriously.

This policy sets out our obligations and processes in the event of a data breach.

This policy applies to all of our employees and staff including both employed and self-employed staff.

This policy is prepared in compliance with the UK General Data Protection Regulation (the "UK GDPR") and the Data Protection Act 2018.

This policy should be read in conjunction with our Data Security Policy and Data Protection Policy.

What is a Data Breach

Under the UK GDPR a "data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed by us.

This policy applies to a wider set of potential breaches and will include any actual breaches as well as any event, incident or action which presents a risk to the integrity, security, confidentiality or availability of personal data, even if a breach does not actually occur.

Personal data means any information relating to an identified or identifiable natural person ("Data Subject") who may be identified, directly or indirectly by reference to an identifier such as a name, an identification number, location data, online information (e.g. an IP address) or to one or more factors relating to that person.

Examples of Data Breaches

Some examples of data breaches would include:

• the loss or theft of a physical file or record;

• the loss or theft of devices (e.g. a laptop, mobile device or tablet), portable data storage devices (e.g. USB drive), or other data storage devices;

• equipment failure;

• unauthorised access to our premises;

• unauthorised access to, use of, or modification of data (or inadequate access controls allowing unauthorised access, use, or modification);

• unauthorised or accidental disclosure of data;

• human error (e.g. sending data to the wrong recipient);

• unforeseen circumstances such as fire or flood;

• hacking, phishing, and other "blagging" offences whereby information is obtained by deception.

Reporting within Neurocheck

If a data breach is discovered or suspected, members of staff should notify the Data Security Lead by submitting a report ("Data Breach Report") to the Data Security Lead as soon as possible.

The Data Breach Report should include full details of the event or incident including the following information:

• the time and date of the breach;

• the time and date the breach was discovered;

• the type(s) of data involved;

• where the breach involves personal data, the categories of data subjects to which the personal data relates (e.g. customers, employees etc.);

• whether or not any sensitive personal data is involved;

• how many data subjects are likely to be affected (if known); and

• any suggested remedial action.

A data breach should be reported as soon as possible. If a data breach occurs or is discovered outside of normal working hours, it should be reported as soon as is reasonably practicable.

Immediate Response

On being notified of a data breach in any way (whether or not a Data Breach Report has been submitted) the Data Security Lead will determine whether the data breach is still occurring. If this is the case, appropriate steps shall be taken immediately to stop or minimise the effects of the data breach.

The Data Security Lead will then initiate the initial response. The Data Security Lead will:

• undertake an initial assessment of the data breach, liaising with the relevant staff and departments where appropriate, to establish the severity of the data breach;

• contain the data breach and, to the extent reasonably practicable, recover, amend, or restrict the availability of (e.g. by changing or revoking access permissions or by temporarily making the data unavailable electronically) the affected data;

• determine whether anything further can be done to recover the data and/or other losses, and to limit the damage caused by the breach;

• establish who needs to be notified;

• determine the best course of action to resolve and remedy the data breach; and

• record the breach and the initial steps taken above in our Data Breach Register.

Having completed the initial steps described above, the Data Security Lead will investigate and assess the breach.

Investigation and Assessment

The Data Security Lead will undertake an investigation and assessment within 24 hours of receiving notice of the breach.

The investigation and assessment will consider the following:

• the types of data involved;

• who the data subjects are;

• how sensitive the data is;

• what the breach involved;

• what could be done with the data as a result of the breach;

• the number of data subjects concerned;

• the effects and consequences for the data subjects; and

• any consequences for Neurocheck.

The results of the investigation and assessment described above must be recorded in our Data Breach Register.

After the initial investigation and assessment the Data Security Lead shall decide who needs to be notified.

Notification

The Data Security Lead shall decide whether Neurocheck is required to notify one or more of the following parties and how to notify those parties:

• affected data subjects;

• the ICO;

• the police;

• our insurers; and

• other affected parties.

When deciding whether (and how) to notify individual data subjects or the ICO the Data Security Lead will consider:

• whether data subjects' rights and freedoms as set out in the UK GDPR (and our Data Protection Policy) will be adversely affected;

• the volume of information involved;

• the sensitivity of the information;

• whether there is a legal obligation to notify;

• whether the risk has been contained by actions taken following the breach;

• the benefits of notifying subjects;

• whether notification will involve disproportionate effort;

• how much information to provide;

• any further information or assistance which should be offered; and

• whether there is a risk of notifying unnecessarily.

If data subjects are going to be informed about a breach, the individuals must be informed without undue delay. The following information should be provided:

• a plain, user-friendly description of the data breach, including how and when it occurred, the personal data involved, and the likely consequences;

• clear and specific advice, where relevant, on the steps individuals can take to protect themselves;

• a description of the measures taken (or proposed to be taken) to address the data breach including, where relevant, measures taken to mitigate any possible adverse effects; and

• contact details for our data protection manager.

The ICO must be informed if the data breach presents a risk to data subjects' rights and freedoms or there is a risk of data subjects suffering substantial detriment or distress, if the data breach involves a high volume of data or if a small amount of high risk data is involved.

If the ICO is to be notified, this must be done within 72 hours of becoming aware of the breach, where feasible. This time limit applies even if complete details of the data breach are not yet available. The ICO must be provided with the following information:

• the category or categories and the approximate number of data subjects whose personal data is affected by the data breach;

• the category or categories and the approximate number of personal data records involved;

• the name and contact details of the Data Security Lead from which the ICO can obtain further information about the data breach;

• a description of the likely consequences of the data breach; and

• a description of the measures taken (or proposed to be taken) to address the data breach including, where relevant, measures taken to mitigate any possible adverse effects.

Records must be kept of all data breaches, regardless of whether notification is required.

Evaluation and Response

After completing the steps in this policy and the data breach has been contained and parties notified, the Data Security Lead shall conduct a complete review of the causes of the data breach, the effectiveness of the measures taken in response, and whether any systems, policies, or procedures can be changed to prevent data breaches from occurring in the future.

A review will consider where and how data is held and stored, the current organisational and technical security measures in place to protect data and the risks and possible weaknesses of those measures; the methods of data transmission for both physical and electronic data and whether or not such methods are secure; the level of data sharing that takes place and whether or not that level is necessary; whether any data protection impact assessments need to be conducted or updated and staff awareness and training concerning data protection.

Where improvements or other changes have been identified the Data Security Lead shall implement the relevant improvements and/or changes as soon as possible.