Reporting a data breach procedure

What to do if personal data has been lost, stolen or shared inappropriately

It’s the law and Girlguiding policy to keep all personal data Girlguiding receives safe, secure and confidential where appropriate.

As a Girlguiding volunteer, you must follow our procedures to make sure you do this.

From time to time mistakes or problems can happen. You must read and use this procedure, which shows you what a data breach is, how to recognise it, and what you must do about it.

Who must use this procedure?

Any Girlguiding member or volunteer aged 18 or over. If you are supervising a member or volunteer who is under 18 you are responsible for making sure they know how to report breaches to you.

Remember, you are responsible for reporting data breaches to the data protection lead at HQ immediately after discovering a breach.

What is personal data?

Personal data is information that identifies an individual. Examples include names, addresses, dates of birth, email addresses, social media handles, photos and videos. Personal data also includes things like a person’s religion, beliefs, health issues and gender identity.

What is a data breach?

A data breach is an incident or omission that results in a loss, theft, deletion, unauthorised sharing or unauthorised access to personal data. Here are some examples:

  • Emailing personal data to the wrong person.
  • Leaving unit health forms on the bus.
  • Leaving documents in the boot of a car which is then stolen.
  • Posting personal information on to social media without permission.
  • Losing a unit contact list printed from GO.
  • Letting someone else use your GO account or password.
  • Losing a memory stick.
  • Being overheard discussing personal data.

What must I do if I discover a data breach?

1. Report

How do I report?

If you are not sure what has happened or what you have found is a data breach, the rules is: If in doubt, report – it’s better to over-report than under-report.

You will still need to report, even if you were able to get the data back as we must, by law, keep a record of all actual and potential breaches.

2. Minimise

As soon as possible you need to try to minimise its impact. For example:

  • If you’ve sent an email to the wrong person, send a second email asking for it to be deleted.
  • If a log-in password has been disclosed and is no longer secure reset your password or contact membership systems to have the account suspended.
  • If you have left documents with personal data somewhere - like on the bus or in a café - go back and check if they have been handed in.
  • If personal information has been posted online then delete it if you can.

3. Follow up

After you have made a data breach report to HQ, the data protection lead will work with your county commissioner to decide if you need to take follow up actions. These could include:

  • Contacting the people whose personal data has been affected by the incident.
  • Making changes to the way you handle personal data in future.
  • Completing additional training.

Any follow up actions required by the data protection lead are compulsory.

We’re here to help. We want you to feel confident that you know how to handle a data breach. If you have any questions or concerns please contact [email protected] or call the data protection team on 020 7834 6242 ext. 3060. 

Girlguiding policies and procedures are reviewed and updated from time to time as part of a review cycle.