Security Incident Response Procedure

Security Incident – A situation or event involving at least one of the following consequences:

  • Loss of data availability – this can be permanent or temporary (e.g. destruction of a hard drive without backup, several hours of database inaccessibility);
  • Loss of confidentiality – personal data breach (unauthorized access to personal data);
  • Loss of data integrity – unauthorized changes to data that, for example, make it impossible to verify its accuracy.

In the event of a suspected security incident, the following response steps should be followed:

Step 1 – The employee who detects the risk of an incident:

  • Immediately secures the data to prevent further leakage or destruction, while preserving information about the event (i.e. restricts access by unauthorized persons but does not delete any data).
  • It is important to retain evidence of what data may have been compromised, as this will be essential for the next steps. For instance, in the event of a server breach and data theft, the server should be disconnected from the internet, but the data should not be deleted — it will be needed to assess the scale and scope of the breach.

Step 2 – The same employee must promptly inform their supervisor and the Data Protection Officer (DPO).

The report should include all relevant facts, especially: who caused the breach, the cause of the breach, the specific data affected, the number of data subjects (at least approximately), the categories of data subjects (e.g. employees, students, contractors), and samples or copies of related documents (e.g. email attachments).

Step 3 – The DPO, together with the school management and IT personnel (if the incident is IT-related), conducts a follow-up review of data security.

Step 4 – In the case of a serious incident, an internal committee is appointed to investigate the incident, determine its cause, course of events, and potential consequences.

Step 5 – A decision is made whether the incident must be reported to:

  • The President of the Personal Data Protection Office (PUODO);
  • The data subjects affected by the breach.

This decision is made by school management after consulting the DPO.

Step 6 – If a notification to PUODO is required, the DPO prepares the official breach notification for submission to the supervisory authority.

Step 7 – The DPO prepares a post-incident report, which includes:

  • An assessment of the possible impact on the data subjects;
  • Recommendations to prevent similar breaches in the future, including organizational, physical, or technical safeguards, and personnel-related consequences (if applicable).

Step 8 – The incident is recorded in the Data Breach Register.

NOTE:
If the breach poses a risk to the rights or freedoms of data subjects, the notification to the President of the Personal Data Protection Office must be made without undue delay and no later than 72 hours after becoming aware of the breach. These are calendar hours, not business hours — so action must be taken immediately.