Data Breach Policy

1.1 The St Johnstone Football Club Ltd (the ‘Club’) collects, holds, processes, and shares personal
data, a valuable asset that needs to be suitably protected.
1.2 Every care is taken to protect personal data from incidents (either accidentally or deliberately) to
avoid a data protection breach that could compromise security.
1.3 Compromise of information, confidentiality, integrity, or availability may result in harm to
individual(s), reputational damage, detrimental effect on service provision, legislative noncompliance, and/or financial costs.

3.1 For the purpose of this policy, data security breaches include both confirmed and suspected
incidents.
3.2 An incident in the context of this policy is an event or action which may compromise the
confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has
caused or has the potential to cause damage to the Club’s information assets and / or reputation.
3.3 An incident includes but is not restricted to, the following:
3.3.1 loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g.
loss of laptop, USB stick, iPad / tablet device, or paper record);
3.3.2 equipment theft or failure;
3.3.3 system failure;
3.3.4 unauthorised use of, access to or modification of data or information systems;
3.3.5 attempts (failed or successful) to gain unauthorised access to information or IT system(s);
3.3.6 unauthorised disclosure of sensitive / confidential data;
3.3.7 website defacement;
3.3.8 hacking attack;
3.3.9 unforeseen circumstances such as a fire or flood;
3.3.10 human error;
3.3.11 ‘blagging’ offences where information is obtained by deceiving the organisation who holds it.

4.1 Any individual who accesses, uses or manages the Club’s information is responsible for reporting
data breach and information security incidents immediately to the Data Protection and the club’s IT
consultant Flonix Ltd.
4.2 If the breach occurs or is discovered outside normal working hours, it must be reported as soon
as is practicable.
4.3 The report must include full and accurate details of the incident, when the breach occurred
(dates and times), who is reporting it, if the data relates to people, the nature of the information,
and how many individuals are involved. An Incident Report Form should be completed as part of the
reporting process (refer to Appendix 1).
4.4 All staff should be aware that any breach of Data Protection legislation may result in the Club’s
Disciplinary Procedures being instigated.

5.1 The Club’s Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so,
the appropriate steps will be taken immediately to minimise the effect of the breach.
5.2 An initial assessment will be made by the DPO in liaison with relevant officer(s) to establish the
severity of the breach and who will take the lead investigating the breach, as the Lead Investigation
Officer (this will depend on the nature of the breach; in some cases it could be the DPO).
5.3 The Lead Investigation Officer (LIO) will establish whether there is anything that can be done to
recover any losses and limit the damage the breach could cause.
5.4 The LIO will establish who may need to be notified as part of the initial containment and will
inform the police, where appropriate.
5.5 The LIO, in liaison with the relevant officer(s) will determine the suitable course of action to be
taken to ensure a resolution to the incident.

6.1 An investigation will be undertaken by the LIO immediately and wherever possible, within 24
hours of the breach being discovered / reported.
6.2 The LIO will investigate the breach and assess the risks associated with it, for example, the
potential adverse consequences for individuals, how serious or substantial those are and how likely
they are to occur.
6.3 The investigation will need to take into account the following:
6.3.1 the type of data involved;
6.3.2 its sensitivity;
6.3.3 the protections are in place (e.g. encryptions);
6.3.4 what has happened to the data (e.g. has it been lost or stolen
6.4.5 whether the data could be put to any illegal or inappropriate use;
6.4.6 data subject(s) affected by the breach, number of individuals involved and the potential effects
on those data subject(s);
6.4.7 whether there are wider consequences to the breach.

7.1 The DPO in conjunction with the Board of Directors will establish whether the Information
Commissioner’s Office will need to be notified of the breach, and if so, notify them within 72 hours
of becoming aware of the breach, where feasible.
7.2 Every incident will be assessed on a case by case basis; however, the following will need to be
considered:
7.2.1 whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and
freedoms under Data Protection legislation;
7.2.2 whether notification would assist the individual(s) affected (e.g. could they act on the
information to mitigate risks?);
7.2.3 whether notification would help prevent the unauthorised or unlawful use of personal data;
7.2.4 whether there are any legal / contractual notification requirements;
7.2.5 the dangers of over notifying. Not every incident warrants notification and over notification
may cause disproportionate enquiries and work.
7.3 Individuals whose personal data has been affected by the incident, and where it has been
considered likely to result in a high risk of adversely affecting that individual’s rights and freedoms,
will be informed without undue delay. Notification will include a description of how and when the
breach occurred and the data involved. Specific and clear advice will be given on what they can do to
protect themselves, and include what action has already been taken to mitigate the risks. Individuals
will also be provided with a way in which they can contact the Club for further information or to ask
questions on what has occurred.
7.4 The LIO and / or the DPO must consider notifying third parties such as the police, insurers, banks
or credit card companies, and trade unions. This would be appropriate where illegal activity is known
or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
4
7.5 The LIO and or the DPO will consider whether the Club needs to consider a press release and to
be ready to handle any incoming press enquiries.
7.6 A record will be kept of any personal data breach, regardless of whether notification was
required.

8.1 Once the initial incident is contained, the DPO will carry out a full review of the causes of the
breach; the effectiveness of the response(s) and whether any changes to systems, policies and
procedures should be undertaken.
8.2 Existing controls will be reviewed to determine their adequacy, and whether any corrective
action should be taken to minimise the risk of similar incidents occurring.
8.3 The review will consider:
8.3.1 where and how personal data is held and where and how it is stored;
8.3.2 where the biggest risks lie including identifying potential weak points within existing security
measures;
8.3.3 whether methods of transmission are secure; sharing minimum amount of data necessary;
8.3.4 staff awareness;
8.3.5 implementing a data breach plan and identifying a group of individuals responsible for reacting
to reported breaches of security.
8.4 If deemed necessary, a report recommending any changes to systems, policies and procedures
will be considered by the Board of Directors.

9.1 This policy will be updated as necessary to reflect best practice and to ensure compliance with
any changes or amendments to relevant legislation.
9.2 This policy was last reviewed in May 2020 and will be reviewed no later than November 2021.