This policy (the “Policy”) aims to help Criptyque Pryvate exchange Jersey Limited (the “CPEJL”) manage breaches related to Personal Data (defined here below) effectively. CPEJL holds Personal Data pertaining to its end-users, employees, clients, suppliers and other individuals for extending its identity verification services to various corporations throughout the world. CPEJL is committed to the correct, lawful and fair handling of all Personal Data, respecting the legal rights, privacy, and trust of all individuals with whom it deals with.
The regulations across various jurisdictions and countries in which CPEJL operates requires it (i) to make reasonable security arrangements; (ii) to protect the Personal Data that it controls or processes; (iii) to prevent unauthorised access, collection, use, and disclosure; or (iv) to do or carry out similar risks.
This Policy applies to employees, affiliates, contractual third parties in receipt of Personal Data, and to such others as necessary for protection of data (collectively referred to as “Personnel”). The Personnel must be familiar with this Policy and comply with its terms. The Policy supplements our Data Protection and Security Policy.
CPEJL may supplement this Policy by introducing additional policies and guidelines from time to time. Any new or modified policy will be circulated to the Personnel before being adopted.
Our Data Protection Officer, Mr. Ricky Magalhaes, has the overall responsibility for the implementation of this Policy.
All Personnel including employees who are in receipt of Personal Data (the “Information Owners”) receive training with regards to this Policy and any new employees who may deal with Personal Information receive training as part of their induction process. Further training may be provided at least once every year or whenever there is a substantial change in the law or any of our policy and/or procedure. As such, completion of training is compulsory for all Information Owners. Additionally, CPEJL may also require other Personnel to undergo similar training in pursuance of implementation of this Policy.
Such training is provided through in-house seminars and/or online training on an annual basis, and covers the applicable laws relating to data protection, and CPEJL’s data protection and related policies and procedures.
If you have any questions or concerns about any part of the content of this Policy, please feel free to contact the Data Protection Officer (“DPO”).
APPLICABLE LEGISLATION CONSIDERATIONS:
• UK Data Protection Act 2018 (the “DPA”)
Under the DPA, Personal Data means any information relating to an identified or identifiable natural person (the “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The DPA also defines Sensitive Personal Data as Personal Data relating to the racial or ethnic origin of the Data Subject, their political opinions, their religious (or similar) beliefs, trade union membership, their physical or mental health condition, their sexual life, the commission or alleged commission by them of any offence, or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings (the “Sensitive Personal Data”).
• EU General Data Protection Regulation (EU) 2016/679 (the “GDPR”)
The GDPR applies if the data controller (organization that collects data from EU residents), processor (organization that processes data on behalf of data controller), or the Data Subject (person) is based in the EU. The GDPR also applies to organizations based outside the EU if they collect or process Personal Data of EU residents.
According to the European Commission, Personal Data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
PERSONAL DATA COLLECTED BY CPEJL:
CPEJL defines Personal Data as the broader of the definitions contained in GDPR.
Any use of Sensitive Personal Data is to be strictly controlled in accordance with this Policy. While some data will always relate to an individual, other data may not relate to an individual on its own. Such data would not constitute Personal Data unless it is associated with, or made to relate to, a particular individual.
PERSONALLY, IDENTIFIABLE INFORMATION:
Personally, identifiable information collected by CPEJL includes name, contact information (email ID and phone number), date of birth, address, document(s) number and any other information required to carry out the verification checks chosen by CPEJL’s client. For instance, (i) if the client selects the face verification service, we will also collect the image (selfie) or video (short clip showing end-user’s face) proof from the end-user; and (ii) if the client opts for document verification, we would require an image or video of the desired document.
DATA COLLECTED FROM CLIENT:
Depending on the type of verification process selected, i.e. onsite or offsite, the data is collected directly from the end-users or the clients. In case if it is from the clients, the clients take the information and image and video proofs from the end-users and pass the data to us via the application programming interface (“API”). In case the clients do not provide certain information required for the selected services, the missing information is collected directly from the end-users. The end-users may be asked to show their documents in real-time so the relevant information may be extracted via optical character recognition technology, if so required.
DATA COLLECTED FROM END-USERS:
Data collected from end-users includes, but is not limited to, the images and videos of the end-user’s identity documents (e.g. passport, ID card, or driving license) and their biometric facial identifiers (e.g. face images/videos). We also require textual information that is either extracted directly from the end-user’s identity documents or is provided by the end-user during the verification process.
PERSONAL DATA GATHERED FOR INTERNAL OPERATIONAL PURPOSES:
Such Personal Data gathered relates to identifiable individuals such as job applicants, current and former employees, contractual and other staff, clients, suppliers, and marketing contacts, and the data gathered may include individuals' contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.
POTENTIAL CAUSES OF DATA BREACH:
Data breaches may be caused by Personnel, parties external to the organisation, or computer system errors.
1. Human Error
Such errors include:
• Loss of computing devices (portable or otherwise), data storage devices, or paper records which contain Personal Data;
• Disclosing data to a wrong recipient;
• Handling data in an unauthorised way (e.g. downloading a local copy of Personal Data);
• Unauthorised access or disclosure of Personal Data by Personnel (e.g. sharing a login);
• Improper disposal of Personal Data (e.g. hard disk, storage media, or paper documents containing Personal Data sold or discarded before data is properly deleted).
2. Malicious Activities
Such activities include:
• Hacking incidents or illegal access to databases containing Personal Data;
• Theft of computing devices (portable or otherwise), data storage devices, or paper records containing Personal Data;
• Password guessing and cracking;
• Session hijacking, session spoofing etc.;
• Network traffic sniffing;
• Denial of service attacks;
• Exploiting buffer overflow vulnerabilities;
• SQL injection.
3. Computer System Error
Such errors include:
• Errors or bugs in CPEJL’s Mobile App or API;
• Failure of cloud services, cloud computing or cloud storage security, authentication, or authorisation systems;
• Power failure of computer systems.
All Personnel have an obligation to report actual or potential data protection compliance failures. This allows us to:
• Investigate the failure and take remedial steps if necessary;
• Maintain a register of compliance failures; and
• Notify the data controller or the Data Subject of any compliance failures that are material either in their own right or as part of a pattern of failures.
Under the GDPR, the data processor is legally obliged to notify the relevant data controller of the breach without undue delay (Article 33) so that the controller may notify the appropriate supervisory authority or the concerned Data Subject if adverse impact is determined (Article 34).
For the benefit of the relevant data controller, CPEJL shall include, where available, the following information in the notification:
• Extent of the data breach;
• Type and volume of Personal Data involved;
• Cause or suspected cause of the breach;
• Whether the breach has been rectified;
• Measures and processes that the organisation had put in place at the time of the breach;
• Information on whether affected individuals of the data breach were notified and if not, when CPEJL intends to do so;
• Contact details of CPEJL staff with whom the controller can liaise for further information or clarification.
However, CPEJL does not have to notify the data controller or the Data Subject(s) if anonymized data is breached. Specifically, the notice to data controller(s) is not required if CPEJL has implemented pseudonymisation techniques like encryption along with adequate technical and organizational protection measures to the Personal Data affected by the data breach (Article 34).
DATA BREACH TEAM (the “DBT”):
The DBT, consisting of the DPO and any Personnel assigned to the team by the DPO, shall have the responsibility to make all time-critical decisions on steps taken to contain and manage the incident.
The DBT should immediately be alerted of any confirmed or suspected data breach at the following email address:
Name: Ricky Magalhaes
Email: [email protected]
RESPONDING TO A DATA BREACH:
Data Breach Management Plan
Upon being notified of a (suspected or confirmed) data breach, the DBT should immediately activate this data breach and response plan; CPEJL shall deal with any suspected or actual data breach by taking the following steps:
1. Confirm the Breach
The DBT should act as soon as it becomes aware of a data breach. Where possible, it should first confirm that the data breach has occurred. It may make sense for the DBT to proceed to contain the breach on the basis of an unconfirmed reported data breach, depending on the likelihood of the severity of risk.
2. Contain the Breach
The DBT should consider the following measures to contain the breach, where applicable:
• Shut down the compromised system that led to the data breach;
• Establish whether steps can be taken to recover lost data and limit any damage caused by the breach (e.g. remotely disabling or wiping a lost notebook containing Personal Data);
• Prevent unauthorised access to the system;
• Reset passwords if accounts and/or passwords have been compromised;
• Isolate the causes of the data breach in the system and, where applicable, change the access rights to the compromised system and remove external connections to the system.
3. Assess Risks and Impact
Knowing the risks and impact of data breaches will help CPEJL determine whether there could be serious consequences to the affected individuals as well as the steps necessary to notify the individuals affected.
Risk and Impact on Individuals
• How many people were affected? A higher number may not mean a higher risk but assessing this helps the overall risk assessment.
• Whose Personal Data had been breached? Does the Personal Data belong to Personnel, customers, or minors? Different people face varying levels of risk as a result of a loss of Personal Data.
• What types of Personal Data were involved? This will help ascertain if there are any risks to reputation, identity theft, safety and/or financial loss of affected individuals.
• Any additional measures in place to minimise the impact of a data breach? For example, a lost device protected by a strong password or encryption could reduce the impact of a data breach.
Risk and Impact on the Organisation
• What caused the data breach? Determining how the breach occurred (through theft, accident, unauthorised access, etc.) will help identify immediate steps which may be taken to contain the breach and restore the service.
• When and how often did the breach occur? Examining this will help CPEJL better understand the nature of the breach (e.g. malicious or accidental).
• Who might gain access to the compromised Personal Data? This will ascertain how the compromised data could be used. In particular, affected individuals must be notified if Personal Data is acquired by an unauthorised person.
• Will the compromised data affect transactions with any other third parties? Determining this will help identify if other organisations need to be notified.
4. Report the Incident
CPEJL, if or when acting as a processor, is legally required to notify the controller of any data breach pertaining to the controller’s end users. In the event the risk assigned to a breach is high then CPEJL may also inform the individual whose data has been breached. CPEJL, if acting as a controller, is legally required to notify individuals directly in the event of a breach. Furthermore, CPEJL shall report to the supervisory authority as already described above.
Who to Notify:
• Notify the controller.
• Notify individuals whose Personal Data has been compromised.
• Notify relevant body under GDPR, especially if a data breach involves Sensitive Personal Data.
• The relevant authorities (e.g. police) should be notified if criminal activity is suspected and evidence for investigation should be preserved (e.g. hacking, theft, data leak or unauthorised system access by Personnel)
When to Notify:
• Notify the controller as soon as data breach is suspected.
• Notify affected individuals immediately if a data breach involves Sensitive Personal Data; this allows them to take necessary actions early to avoid potential abuse of the compromised data.
• Notify affected individuals when the data breach is resolved, if acting as a controller.
How to Notify:
• Use the most effective ways to reach out to the controller or the individual taking into consideration the urgency of the situation and number of individuals affected (e.g. mobile messaging, SMS, e-mails, telephone calls).
• Notifications should be simple to understand, specific, and provide clear instructions on what the controller or individuals can do to protect themselves.
What to Notify:
• How and when the data breach occurred and the types of Personal Data involved in the data breach.
• What CPEJL has done or will be doing in response to the risks brought about by the data breach.
• Specific facts on the data breach where available and required, and actions individuals can take to prevent that data from being misused or abused.
• Contact details and how the affected individuals can reach CPEJL for further information or assistance (e.g. helpline numbers, e-mail addresses or website).
5. Evaluate the Response and Recovery to Prevent Future Breaches
After the above steps have been taken to resolve the data breach, CPEJL should review the cause of the breach and evaluate if existing protection and prevention measures and processes are sufficient to prevent similar breaches from recurring and, where applicable, put a stop to practices which led to the data breach. The Data Breach Evaluation Form has been provided hereunder (Annexure A).
MONITORING AND COMPLIANCE:
The DPO has the overall responsibility for regulating and implementing this Policy. The DPO shall review and monitor this Policy regularly to ensure that it is effective, relevant, and adhered to.
CPEJL takes compliance with this Policy very seriously because failure or negligence to comply puts both, Personnel and the organisation, at risk. The importance of this Policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal. CPEJL, in its sole discretion, may also take any legal recourse provided under the applicable law.
DATA BREACH EVALUATION FORM
Serial No: ____________ Date: ________________
Summary of Event of Breach:
Operational and Policy Related Issues:
Were audits regularly conducted on, both, physical and IT-related security measures?
Are there processes that can be streamlined or introduced to limit the damage if future breaches happen
or to prevent a relapse?
Were there weaknesses in existing security measures (such as the use of outdated software and/or protection
measures) or weaknesses in the use of portable storage devices, networking, or connectivity to the internet?
Were the methods for accessing and transmitting Personal Data sufficiently secure (e.g. access limited to authorised personnel only)?
Should support services from external parties be enhanced (such as sub-processors and partners) to better protect the Personal Data?
Were the responsibilities of sub-processors and/or partners clearly defined in relation to the handling of
Is there a need to develop new data-breach scenarios?
Resource Related Issues:
Were sufficient resources allocated to manage the data breach?
Should external resources be engaged to better manage such incidents?
Were key personnel given sufficient resources to manage the incident?
Personnel Related Issues:
Were Personnel aware of security-related issues?
Was training provided on Personal Data protection matters and incident management skills?
Were Personnel informed of the data breach and the steps taken to mitigate the incident?
Management Related Issues:
How was the management involved in the management of the data breach?
Was there a clear line of responsibility and communication during the management of the data breach?