Recruiting Partners

Free ATS

Free Sourcing

Pricing

Resources

Dover Data Breach Policy

Introduction 

Under the General Data Protection Regulation (GDPR), certain personal data breaches must be notified to the Office of the Information Commissioner of Canada (OIC) and sometimes affected data subjects need to be told too. 

The purpose of this policy is to outline the internal breach reporting procedure of Staya, Inc. (d.b.a., Dover) Inc. (hereafter "Company") and our internal and external response plan and it should be read in conjunction with our data protection policy. 

What constitutes a personal data breach? 

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed". 

A breach is, therefore, a type of security incident, and three different types of breach may occur: 

1. Confidentiality breach - an accidental or unauthorized disclosure of, or access to, personal data.

2. Availability breach - an accidental or unauthorized loss of access to, or destruction of, personal data. 

3. Integrity breach - an accidental or unauthorized alteration of personal data. 

A breach can simultaneously concern confidentiality, availability and integrity of personal data, and any combination of these. 

A personal data breach would, for example, include: 

  • personal data being disclosed to an unauthorized person, e.g. an email containing personal data sent to the wrong person. 

  • an unauthorized person accessing personal data, e.g. an employee's personnel file being inappropriately accessed by another staff member due to a lack of appropriate internal controls. 

  • a temporary or permanent loss of access to personal data, e.g. where a client's or customer's personal data is unavailable for a certain period of time due to a system shutdown, power, hardware or software failure, infection by ransomware or viruses or denial of service attack, where personal data has been deleted either accidentally due to human error or by an unauthorized person or where the decryption key for securely encrypted data has been lost. 

This list is not exhaustive. 

Notification to relevant jurisdiction

Not all personal data breaches have to be notified. The breach will only need to be notified if required by the relevant jurisdiction, and this needs to be assessed by the Company on a case-by-case basis. A breach is likely to result in a risk to the rights and freedoms of data subjects if, for example, it could result in: 

  • loss of control over their data 

  • limitation of their rights 

  • discrimination 

  • identity theft

  • fraud 

  • damage to reputation 

  • financial loss 

  • an unauthorized reversal of pseudonymization 

  • loss of confidentiality 

  • any other significant economic or social disadvantage. 

Where a breach is reportable, the Company must notify the relevant parties in the relevant jurisdictions and, where feasible, no later than 72 hours after becoming aware of the breach. If a breach report is submitted late, it must also determine the reasons for our delay. Our notification must at least include: 

  • a description of the nature of the breach, including, where possible, the categories and approximate number of affected data subjects and the categories and approximate number of affected records 

  • the name and contact details of the Company's DPO 

  • a description of the likely consequences of the breach 

  • a description of the measures taken, or to be taken, by the Company to address the breach and mitigate its possible adverse effects. 

We can provide this information in phases, without undue further delay, if it cannot all be provided at the same time. 

Awareness of the breach occurs when we have a reasonable degree of certainty that a breach has occurred. In some cases, it will be relatively clear from the outset that there has been a breach. However, where it is unclear whether or not a breach has occurred, we will have a short period of time to carry out an initial investigation after first being informed about a potential breach to establish with a reasonable degree of certainty whether or not a breach has, in fact, occurred. If, after this short initial investigation, we establish a reasonable degree of likelihood that a breach has occurred, the 72 hours starts to run from the moment of that discovery. 

Communication to affected data subjects

Where the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Company also needs to communicate the breach to the affected data subjects without undue delay, i.e. as soon as possible. In clear and plain language, we must provide them with: 

  • a description of the nature of the breach 

  • the name and contact details of the Company's DPO 

  • a description of the likely consequences of the breach 

  • a description of the measures taken, or to be taken, by the Company to address the breach and mitigate its possible adverse effects. 

We will also endeavour to provide data subjects with practical advice on limiting the damage, e.g. cancelling their credit cards or resetting their passwords. 

We will contact data subjects individually, by e-mail, unless that would involve the Company in disproportionate effort, such as when their contact details have been lost as a result of the breach or were not known in the first place, in which case we will use a public communication, such as a notification on our website. 

However, we do not need to report the breach to data subjects if: 

  • we have implemented appropriate technical and organizational protection measures and those measures have been applied to the personal data affected by the breach, in particular those that render the personal data unintelligible to any person who is not authorized to access them, such as state-of-the-art encryption, or 

  • we have taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise. 

Assessing risk and high-risk 

In assessing whether a personal data breach results in a risk or high risk to the rights and freedoms of data subjects, the Company will take into account the following criteria: 

  • the type of breach 

  • the nature, sensitivity and volume of personal data affected

  • ease of identification of data subject's properly encrypted data is unlikely to result in a risk if the decryption key was not compromised in the breach 

  • the severity of the consequences for data subjects 

  • any special characteristics of the data subject 

  • the number of affected data subjects 

  • special characteristics of the Company. 

Data breach register 

The Company will maintain a register of all personal data breaches, regardless of whether or not they are notifiable. The register will include a record of: 

  • the facts relating to the breach, including the cause of the breach, what happened and what personal data were affected 

  • the effects of the breach 

  • the remedial action we have taken. 

Data breach reporting procedure 

If you know or suspect a personal data breach has occurred, you must immediately advise your line manager and contact the Company's DPO. You must ensure you retain any evidence you have in relation to the breach, and you must provide a written statement setting out any relevant information relating to the actual or suspected personal data breach, including: 

  • your name, department and contact details 

  • the date of the actual or suspected breach 

  • the date of your discovery of the actual or suspected breach 

  • the date of your statement 

  • a summary of the facts relating to the actual or suspected breach, including the types and amount of personal data involved

  • what you believe to be the cause of the actual or suspected breach 

  • whether the actual or suspected breach is ongoing 

  • who you believe may be affected by the actual or suspected breach. 

You must then follow the further advice of the DPO. You must never attempt to investigate the actual or suspected breach yourself, and you must not attempt to notify affected data subjects. The Company will investigate and assess the actual or suspected personal data breach in accordance with the response plan set out below, and the data breach team will determine who should be notified and how. 

Response plan 

The Company's DPO will assemble a team to investigate, manage and respond to the personal data breach. They will lead this team, and the other members will consist of nominated senior members of the management team. The data breach team will then: 

1. Make an urgent preliminary assessment of what data has been lost, why and how. 

2. Take immediate steps to contain the breach and recover any lost data. 

3. Undertake a full and detailed assessment of the breach. 

4. Record the breach in the Company's data breach register. 

5. Notify the relevant jurisdictional body where the breach is likely to result in a risk to the rights and freedoms of data subjects. 

6. Notify affected data subjects where the breach will likely result in a high risk to their rights and freedoms. 

7. Respond to the breach by putting in place any further measures to address it and mitigate its possible adverse effects, and to prevent future breaches.