1.1 e-Learn Design is a Data Processor registered with the ICO ref: Z2107917. Clients retain control of their data and remain responsible for their compliance obligations under the Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents and for the written processing instructions it gives to e-Learn Design.

2.1 This policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breaches and information security incidents.

2.2 The objective of this policy is to help clients contain breaches, minimise the risk associated with a breach, and consider what action is necessary to prevent further breaches and information security incidents.

3.1 For the purpose of this policy, data security breaches include both confirmed and suspected incidents.

3.2 An incident in the context of this policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately.

3.3 An incident includes, but is not restricted to, the following:

• system failure;
• unauthorised use of, access to or modification of data or information systems;
• attempts (failed or successful) to gain unauthorised access to information or IT system(s);
• unauthorised disclosure of sensitive/confidential data;
• hacking attack;
• human error; or
• ‘blagging’ offences where information is obtained by deceiving the organisation who holds it.

4.1 Confirmed and suspected data breach and information security incidents should be immediately reported by email to security(at)e-learndesign(dot)co(dot)uk, by calling 0845 474 4512, or through the helpdesk reporting web page.

5.1 e-Learn Design shall take the appropriate steps to assist the client in containment of a breach and recover, where available, any lost data through backups.

6.1 Immediately following any incident, e-Learn Design shall coordinate with the client to investigate the matter and consider what action is necessary to prevent further breaches.

6.2 If deemed necessary, a report recommending changes to systems, policies and procedures will be provided for client consideration.

6.3 If deemed necessary, a report will be made to the appropriate authority.

6.4 All breaches will be documented, even if a report is not deemed necessary.

7.1 This policy will be updated as necessary to reflect best practices and to ensure compliance with any changes or amendments to relevant legislation.