English
T H E   O R D E R   O F   T H E   K N I G H T S   O F   S T   C O L U M B A
English
Serve God by Serving Others

DATA PROTECTION & PRIVACY POLICY
Data Breach Notification 

I. All personal data breaches must be reported immediately to the Organisation's Responsible Officer and the Licence Check Security Officer. 
 
II. If a personal data breach occurs in respect of data for which the Organisation is the data controller and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Responsible Officer must ensure that the Information Commissioner's Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it. 
 
III. In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described under Part 29.2) to the rights and freedoms of data subjects, the Responsible Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay. 
 
IV. Data breach notifications shall include the following information: 
a) The categories and approximate number of data subjects concerned; 
b) The categories and approximate number of personal data records concerned; 
 
c) The name and contact details of the Organisation's data protection officer (or other contact point where more information can be obtained); 
 
d) The likely consequences of the breach; 
 
e) Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects. 
 
Where the Organisation is acting as data processor for a third-party data controller, the obligations in I - IV above shall apply, but notification shall be to the data controller rather than to the data subjects directly. 
 
 
Implementation of Policy
 
This Policy shall be deemed effective as of 25/05/2018. No part of this Policy shall have retroactive 
effect and shall thus apply only to matters occurring on or after this date. 
This Policy has been approved and authorised by the Directors of the Knights of St Columba. 
 
 
Policy Updates 
 
Page 13 - Reference to Youth and Young People added - 25th September 2018. Page 13 - Reference to Youth and Young People amended - 27th September 2018. 
Page 3 – Accountability and Record-Keeping (Article 30 GDPR) – Name of Data Protection Officer amended – 25th April 2019 
Page 12 – Data Security – Use of Personal Data – Name of Responsible Officer amended – 25th April 2019