Data breaches

Question 1

Requirements needed for person to be recruited to a DPO role

Answer 1

none

Question 2

What year was GDPR introduced?

Answer 2

may 2018

Question 3

Meaning of GDPR?

Answer 3

Generaldata protection regulation

Question 4

Rights under GDPR?

Answer 4

1. Right to access information
2. Right to be informed
3. Right to rectification
4. Right to erasure
5. Right to data portability
6. Right to object to automated processing
7. Right to object to processing of personal data
8. Right of restriction
9. Restriction of Individual Rights in certain circumstances

Question 5

Data protection act 1998-2003 versus GDPR 2018

Answer 5

• Improved transparency, accountability and provisions for individuals’ rights, increased fining up to 20 million
• Establishing a new Data
  Protection Commission

Question 6

What happens if data protection complaint relates to an incident occurring before 2018?

Answer 6

the Data Protection Acts 1988
– 2003, and not the GDPR,
will apply

Question 7

What is the formal procedure when requesting your own clinical notes from hospital?

Question 8

As per rule 8 of data protection, how soon must a note be filed?

Answer 8

24 hours

Question 9

How long after turning 18 are files destroyed?
Exception?

Answer 9

8 years
Exception:
- if treatment is completed at 17, 9 years
- if likely to have implications in the future

Question 10

how many new cases were processed by DPC last year?
how many were valid breach notifications?
what % came from public/voluntary sector?

Answer 10

9300
5000
48%

Question 11

When is a DPO required for a company?

Answer 11

• Done by a public authority or body.
• Involves regular and systematic monitoring of a large number of individuals.
• Involves large-scale processing of specific types of data, such as criminal records

Question 12

For data protection impact assessments for new high-risk assessments, it’s necessary to…?

Answer 12

Mandatorily assess potential data protection risks.
Identify and address risks that may impact your organization or individuals involved.
Develop plans to implement solutions for mitigating these risks.
Evaluate the feasibility of the project at an early stage

Question 13

What happened with Cambridge Analytical?

Answer 13

 CA collected personal data on 87 million FB users in 2010s without their consent using a quiz ‘This is your Life’
 Data used in Trump Campaign → target people who are prone to conspiratorial thinking
 Accused of interfering with Brexit referendum

Question 14

What is a data breach?

Answer 14

a security incident that unintentionally or unlawfully results in the accidental destruction, loss, alteration, unauthorized disclosure, or access to personal data that is being transmitted, stored, or processed.

Question 15

fines for serious breach?
fines were extremely serious breach?

Answer 15

up to 10 million
up to 20 million

Question 16

HSE data breach process guidance

Answer 16

i. Identify
ii. Notify
iii. Classify
iv. Report
v. Contain and Recover
vi. Risk Assessment
vii. Notification of Breach
viii. Evaluation and Response

Question 17

1. Identify and 2. notify manager

Answer 17

 Procedures that allow any staff member to report any information/data security
breach.
 Staff are aware what is a breach and whom they should report such a breach to
 Details of the breach should be recorded and reported accurately within 72 hours
 Manager is notified and will sign the Data Breach Incident Report form

Question 18

3. Classify: DP Incident or Breach?

Answer 18

Manager assesses if it’s a breach or incident. If not, no further action is needed.

If it is:
Staff and manager complete a data breach incident form.

Form is sent to Deputy Data Protection Officer (DDPO) for confirmation.

If it involves information systems, also sent to Office of the Chief Information Officer (OoCIO).

For incidents, DDPO suggests corrective actions. Manager logs incident and implements corrective actions.

For breaches, DDPO logs it with the Data Protection Commission and reports corrective actions taken.

Question 19

9. Containment and Recovery

Answer 19

• limit the scope and impact of the breach of data/information - manager – eg changing access
  codes, changing physical access etc
• DDPO establish who in the organisation needs to be
  made aware of the breach and inform them of what
  they are expected to do to assist in the containment exercise (eg Garda, communications dept)
• OoCIO (Office of the Chief Info Officer) has a role in containment if it was an IT
  breach (eg wiping a mobile device)

Question 20

10. Risk Ax

Answer 20

Evaluate potential consequences:
1. Type and sensitivity of information.
2. Existing security measures.
3. What the information could reveal about individuals.
4. Number of individuals affected.
5. If it’s a significant breach, the Deputy Data Protection Officer (DDPO) informs the Data Protection Officer (DPO) for guidance on necessary corrective actions.

Question 21

12. Notify data subjects

Answer 21

Manager should, In Plain English,
* Outline what occurred
* Apologise for the incident
* Provide name and contact for further info
* Describe the likely consequences of the breach
* Describe the measures taken to address the breach
* Confirm the DPC has been notified
* Record notification to data subject
* Consumer Affairs or ICT Directorate immediately.

Question 22

Evaluation and response

Answer 22

A thorough review of the incident should occur. Ensure that the steps taken during the incident were appropriate and to identify areas that may need to be improved.

Any recommended change to policies and/or procedures should be documented and implemented as soon
as possible thereafter.

Question 23

What does electronic communications policy apply to?

Answer 23

 All electronic communications, email, internet, intranet and fax services provided by the HSE
 All IT resources provided by the HSE;
 All users (including HSE staff, students, contractors, sub-contractors, agency staff
and authorized third party commercial service providers)
 All use (both personal & HSE business related)
 All connections to (locally or remotely) the HSE’s email, internet, intranet and fax
facilities
 All connections made to external networks through the HSE network.

Question 24

Policy of personal use of electronic communications

Answer 24

HSE’s electronic communication services are for official business, but occasional personal use may be allowed if it meets these criteria:
Doesn’t interfere with HSE work.
Doesn’t impact user performance or HSE operations.
Doesn’t create unnecessary costs or liabilities.
Has no negative impact on the HSE.
Doesn’t involve commercial activities.
Follows the law and complies with HSE policies.

Question 25

Policy on personal use of email

Answer 25

When using email:

1. Clearly indicate if it’s personal and not on behalf of the HSE.
2. Ensure actions or words won’t negatively impact the HSE.
3. Use only HSE-provided email for work; avoid third-party services for confidential information.
4. Don’t forward confidential HSE information to personal email accounts.
5. Keep personal and HSE business emails separate

Question 26

Policy on internet use

Answer 26

1. HSE filters internet access, blocking inappropriate sites.
2. Smart devices are exempt, but users are responsible for their internet connections.
3. Installing third-party internet facilities on HSE devices requires authorization.
4. Users should be aware that their HSE device’s unique address can be logged by visited sites, potentially identifying the HSE

Question 27

Policy on social media use

Answer 27

HSE blocks most social media sites.
All social media use, personal or on behalf of HSE, must follow the HSE Social Media Policy.
Avoid posting confidential or restricted information about HSE business, procedures, or personal details of patients, clients, or employees on social media

Question 28

Policy on fax

Answer 28

Confidential and personal information should not be transmitted by fax
 EXCEPTIONS APPLY – when?
 Cover sheet
 Double check fax number
 Minimal information
 Telephone before
 Keep copy of transmission slip
 Approval from Manager

Question 29

social media etiquette according to HSE

Answer 29

1. Respect others’ views; avoid public disagreements.
2. Maintain professionalism.
3. Promptly correct your mistakes and admit when you’re wrong.
4. Avoid conduct deemed unacceptable online.
5. Ignore trolls aiming for negative interactions.
6. Share only accurate information; be cautious of fake news and misinformation.
7. Use the first person when posting, as you represent yourself, not your employer.
8. Offensive remarks about individuals, organizations, or groups on social media may lead to disciplinary or legal action.
9. If you link your employer (HSE) in your social media bio, remember it connects you to your workplace publicly.
10. It’s okay to have opinions on HSE-related public topics, but ensure they are based on facts.
11. Media monitor social media, so if you’re not an official spokesperson, avoid expressing professional views in public

Question 30

What is HSE LIve?

Answer 30

 Remember you are not the customer-facing voice of the HSE, the HSELive
team fulfil this role
 Public queries relating to HSE services are dealt with by the HSELive team who are highly trained and skilled in dealing with the broad range of questions received on a daily basis.
 If members of the public contact you for an answer to a HSE-related query, you should direct them to the HSELive team, the customer service arm of the
organisation

Question 31

Enforcement of policies

Answer 31

• subject to disciplinary action including suspension and dismissals
• HSE may refer any electronic comms, email, internet and fax services for illegal activities to the Gardaí

Question 32

CORU social media guidelines:

Answer 32

1. Use social media responsibly, maintaining professional standards.
2. Consider the impact on service users before posting, avoiding abusive or defamatory comments.
3. Do not breach obligations under the Code or discuss service users on social media.
4. Use privacy settings and be mindful of how posted information might be interpreted.
5. Maintain professional boundaries on social media to uphold public trust in your profession.