Guidance last updated Feb 2020
PLEASE NOTE: This guidance relates specifically to Ombudsman Services’ process and approach to data breaches. We would remind all member companies that they should have their own processes and procedures in place to ensure GDPR requirements are met and that data breaches are also appropriately managed. The below relates purely to data breaches involving Ombudsman Services. This document does not constitute advice.
In providing an Alternative Dispute Resolution (ADR) scheme, Ombudsman Services handles a significant amount of personal data.
Personal data is provided to Ombudsman Services by the consumer wishing to use our service and by the companies involved in the complaints brought to us.
Ombudsman Services is registered on the "public register of data controllers", and for the purposes of ADR under the General Data Protection Regulation and UK Data Protection Act 2018 is the data controller.
We have therefore put in place appropriate technical and organisational measure to protect all data held by us.
Any suspected breaches of data protection are taken seriously and are dealt with by Ombudsman Services appropriately.
On the report of a suspected issue or breach of data protection, Ombudsman Services takes prompt action to investigate to establish with a reasonable degree of certainty whether a breach has taken place.
Article 33 of GDPR confirms that it is the data controller who shall notify the personal data breach to the Information Commissioner’s Office (ICO) as the supervisory authority in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of “natural persons.”
Data controllers are exempt from the notification requirement only where they can demonstrate that the data breach is unlikely to result in a risk to the rights and freedoms of the individual.
At Ombudsman Services we have an established team that has been trained to investigate and assess any suspected breaches identified and reported within the business.
Our operational teams are given regular, ongoing training on data protection and this includes the ability to identify and internally report any potential data breaches to our legal and compliance team as soon as they are identified.
The legal and compliance team will then investigate each report to determine whether:
a) A breach has occurred;
b) If so, what action needs to be taken to contain / remedy / mitigate the breach;
c) Whether it is reportable to the ICO; and
d) Whether it is reportable to the individual/s concerned.
In compliance with data protection legislation, Ombudsman Services’ Data Protection Officer (DPO) will notify the ICO as the supervisory authority of any breach where there is a risk to the rights and freedoms of the individual.
Methodology: our approach to assessing the risk to the rights and freedoms of the individual
Data protection legislation suggests that when assessing a breach, consideration should be given to both the likelihood and severity of the risk to the rights and freedoms of data subjects, that risk being evaluated on the basis of an objective assessment.
Therefore, in considering the details of the breach the legal and compliance team takes a risk-based approach, considering both the likelihood of and severity of the risk to people’s rights and freedoms.
Members of the team look at the types of risks, for example:
• emotional risk
• physical risk
• material damages
• financial losses
They then look at the factors relevant to that risk, for example:
• the type of data
• the number of individuals affected
• who / where the data is held
• any permanence to the consequences
One type of suspected breach being identified and reported within the business is participating companies having uploaded incorrect information to customers’ accounts.
The following chart shows the number of suspected breaches identified caused by member companies in the period March 2019 to December 2019:
The chart below provides an overview of the type of suspected breaches that were reported to the legal and compliance team for investigation during December 2019:
Ombudsman Services has put in place a number of operational measures to address incorrect uploads by participating companies.
Within our case management system (CMS) multiple warnings are given to the user to confirm that the data is accurate and is being uploaded to the correct case file.
Ombudsman Services also samples a percentage of the data uploaded by member companies as an additional check before it is published to case files. The percentage checked by Ombudsman Services is based on calculations that take account of the company’s previous errors.
Member companies are asked to have checks in place to ensure that the correct files are uploaded and that they have their own front-line checking procedure.
We currently have a process in place whereby 10% of all case files uploaded to our system by member companies are randomly checked. If a breach is identified, we will then increase the volume of checks of case files uploaded by that member company.
Assuming there are no further breaches we then revert to checking 10% of all case files uploaded by that member company.
We understand that member companies will want to know about potential breaches, so that steps can be taken steps internally to minimise the risk of them happening again.
That’s why, every month, we provide you with information about every potential breach involving your company.
This monthly report includes details of all suspected breaches identified and reported internally to the legal and compliance team.
These reports include fields such as:
If any suspected breach is required to be reported to the ICO, we would contact the relevant member company’s DPO at the point we have completed our investigation into that breach and decided to report the matter to the ICO.
Member companies should be aware that, when we identify that a company has uploaded incorrect information to a case, the information will be immediately removed to ensure that the breach is contained and any impact on the data subject is minimised.
This does mean that the company will be unable to view the information in question on our case management system (CMS). Companies will, however, still be able to see their own users’ actions in relation to any given case.
When a member company suspects that it has potentially caused a breach of data protection legislation, we ask for details to be sent to both of the following email addresses:
If you have any questions, please contact our Relationships team by emailing OSAccountManagers@Ombudsman-Services.org