Policies and procedures

Polices and procedures.

Data security breach management policy and procedure

Surrey Heath Borough Council (SHBC) is committed to ensuring that all personal data we process, including that of colleagues and customers, is managed appropriately and in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) (collectively referred to as “Data Protection legislation”)

As SHBC processes personal data it is committed to ensuring all unauthorised or unlawful processing, loss, destruction of or damage to data (personal data breaches) are swiftly identified and reported within the Council and, where appropriate to the Information Commissioner’s Office and affected individuals.



Human Resources may deal with negligent or malicious non-compliance with this policy through the disciplinary process.

Under the Data Protection Act 2018 and UK General Data Protection Regulation, Surrey Heath Borough Council is a Data Controller. This is a “person” who determines the purposes for which, and the manner in which, any personal data are, or, are not to be processed. The sixth Data Protection principle states that organisations, which process personal data, must ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

As well as defining SHBC’s policy, this procedure lays out the actions, once a breach has occurred.

View the full policy below: