Data Breach Policy

Published: 1 August 2024

Introduction 

The Market-wide Half-Hourly Settlement (MHHS) Programme (the “Programme”) is processing personal data [1] for the purpose of enabling industry-wide Systems Integration Testing (SIT), Qualification & Migration/Transition. Elexon, in its capacity of the Programme, is the Controller [2] for these processing activities. The processing involves sharing this data between Elexon, Elexon’s sub-processor Expleo, and Industry Participants.

The Programme is required under the retained EU law version of the General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (DPA 2018) to meet data protection standards and to ensure appropriate and proportionate security and confidentiality of all the personal and sensitive personal data it processes. This includes data processed by third parties acting on its behalf.

The context to this policy is the Seventh Data Protection Principle of the DPA 2018:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

[1] MPAN/Metering System details including MPAN Core/Number, MPAN address and Meter Serial Number relating to domestic and micro business premises.

[2] See DPIA held by Elexon Legal for more details on the Programme’s status as controller, and the nature of the processing more generally.

What does this policy cover?

This policy applies to all personal data processed by the Programme, or anyone acting on behalf of MHHS. 

This Policy shall cover the notification reporting elements following a Data Breach. This Policy also applies to Data Breaches that have been notified to Elexon by Industry Participants. Industry Participants participating in the Programme are required to comply with Data Processing Obligations to notify Elexon of any Personal Data breach as set out in the Bilateral Data Sharing Agreement or under BSC Sections 12.9A, 12.9B and 12.9C. 

For the purposes of MHHS System Integration Testing, Industry Participants act as Processors of the Data. Each Processor is required, without undue delay, to notify the Controller (Elexon, in its capacity as MHHS Implementation Manager) in the event that the Processor becomes aware of a Personal Data breach.

In order to facilitate notifications by Industry Participants, the Programme will make available the information set out in Annexes 2 and 3.

Definition of a Data Breach 

A Personal Data Breach means one or more of the following:

“Confidentiality breach” - where there is an unauthorised or accidental disclosure of, or access to, personal data. 

“Integrity breach” - where there is an unauthorised or accidental alteration of personal data.

“Availability breach” - where there is an accidental or unauthorised loss of access to, or destruction of, personal data. Personal data which is even temporarily unavailable will be considered a Data Breach and may require notification to the ICO if the unavailability has a significant negative effect on individuals.

Examples include:

• Sending personal data (i.e. sharing MPAN, address or Meter Serial Number) to the wrong recipient via an insecure method i.e. email;
• Using the above data for another purpose than MHHS Testing or Data Migration activities e.g. sales activities
• A security breach (or suspected breach) of a participants test environment e.g. an unauthorised person has gained access to a system or systems. 

Where a security breach has been identified that also involves personal data, the following procedure will also apply.

 

Reporting a personal data breach

We have put in place procedures to deal with any suspected Personal Data Breach. 

If you know or suspect that a personal data breach has occurred, or have received a notification from an Industry Participant, do not attempt to investigate the matter yourself. You should ensure that you preserve all evidence relating to the potential Personal Data Breach and immediately report this to Legal and Information Security. Please note that no employee shall communicate any information about the suspected Data Breach outside of the MHHS Programme without receiving permission from Legal and the Director of Strategic Programmes.

You must complete the Data Breach Report Form (Appendix 3) and immediately email this through to:

• Nicholas Brown, General Counsel and Company Secretary (elexon-legal@elexon.co.uk) and
• Stuart Toner, Information Security Manager (security@elexon.co.uk) 

We will then use this evidence to assess the severity of the breach using the European Data Protection Board’s Guidelines 9/2022 on personal data breach notification under GDPR. 

Any suspected Data Breach will be immediately investigated and in the event a Data Breach is found to have occurred, an emergency information security meeting shall be called. Members to be included at the emergency meeting are senior representatives from: Legal, Information Security and the affected business unit. Depending on the severity of the Data Breach, the Director of Strategic Programmes may also be involved in the emergency meeting.

The emergency meeting committee shall determine the scope of the Data Breach and set out corrective actions to be undertaken without undue delay. The committee shall apply this Policy and determine whether the Data Breach is significant enough that it requires providing notification to the ICO and/or the individuals affected (set out below in Appendix 1). We shall keep a note of the outcome of the meeting.

Actions to be taken in the event of a data breach

We need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. The incident should be managed using the CANE approach:

1. Contain

1.1    All efforts must be made in order to minimise the effects of any data breach or a further breach. The immediate priority is to contain the breach to limit its scope, impact and any further damage.

2. Assess

2.1    Using the information provided as part of the completed Data Breach Report Form (Appendix 3), an initial assessment is made to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. 

2.2    Consideration will include the types of data involved, volume of data involved, quantity of data subjects (persons affected) involved, assessment of ongoing risks and any mitigating features.

3. Notify (full procedure in Appendix 1)

3.1    Once an assessment has been made, if it is likely that there will be a risk then we will notify the applicable regulator; if it is unlikely then we are not under any obligation to report. 

3.2    We will decide whether we need to notify the applicable regulator (Information Commissioner’s Office (ICO)) within 72 hours of the breach and will notify individuals where we are legally required to do so.

4. Evaluate

4.1    Once the breach has been actioned, the cause of the breach needs to be considered. 

4.2    In order to ensure that appropriate measures are in place to prevent a recurrence of the Data Breach, and to ensure that the Data Breach process itself is working effectively, there may be a need to consider further more assertive action. This could involve updates to policies and procedures or to conduct additional training.

Non-compliance

If we do not comply with our notification requirements under the GDPR (as set out in this policy) we could be fined up to £17.5million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. 

In the event of non-compliance, we may be the subject of: 

• complaints made to the ICO about us;
• claims for damages from individuals;
• suspension of our processing personal data by the ICO; or
• loss of reputation potentially leading to our inability to continue the administration of the BSC.

This policy applies to all employees, contractors and service provider personnel who are engaged in Programme activities and your compliance is mandatory. It is important that everyone within the Programme understands the obligations required in relation to Data Breaches. We may take disciplinary action in relation to any non-compliance.

Reviews

This Data Breach Policy is subject to periodic reviews (at least every 24 months) by Legal and/or Information Security in line with future legislative changes.

Record reviews are to be kept and any necessary actions taken (as per section 1).

 

Appendix 1: Notification Procedure

1.1.    When are we required to notify the ICO?

• Where a Data Breach has occurred, we shall follow the procedures in our Information Security Management System (ISMS) and above to establish the likelihood and severity of the Data Breach and determine the resulting risk to the rights and freedoms of individuals affected. If it is likely there will be such a risk, we must notify the ICO without undue delay and where feasible, no later than 72 hours after we have become aware of the Data Breach. Please note that if we notify the ICO later than 72 hours having become aware of the Data Breach, we must justify the delay, otherwise we could incur a significant fine. If however we decide we don’t need to report the breach, we need to be able to justify this decision if ever questioned, therefore we must document it.
• If we are processing data on behalf of another organisation and we incur a Data Breach, we must immediately notify the Data Controller of that data who will in turn notify the ICO. If however we are the Data Controller and are notified by an organisation who is processing data on our behalf, we must notify the ICO.

What to include in our notification

• When we notify the ICO about a Data Breach, we must include the following information and document it for our internal records:
  • Name and contact details of our Data Protection Officer (DPO) (if we have one appointed) or other point of contact;
  • The nature of the Data Breach (including the facts, estimated numbers of individuals affected and the categories and approximate number of personal data records concerned);
  • The likely consequences of the Data Breach; and
  • The measures we have taken and propose to take to address the Data Breach.  
    
    
• We should provide all required information to the ICO at the same time unless this is not possible where we can provide this information in phases but without undue further delay. 

1.2.    When are we required to notify the affected individual?  

• Where a Data Breach has occurred, having assessed the severity of the Data Breach, we must determine whether this is likely to result in a high risk to the rights and freedoms of the individuals affected by the Data Breach. If this is the case, we must proceed to notify the individuals concerned in clear and plain language, without undue delay. Similarly, having notified the ICO in accordance with our obligations above, we may be ordered by them to notify the individuals affected by the Data Breach.
• We will not necessarily be required to notify the individuals concerned in the event that:
  • We have implemented appropriate technical and organisational protection measures and those measures were applied to the personal data affected by the Data Breach. Such measures may include encryption and anonymization.
  • We have taken subsequent measures, which ensure that the high risk to the rights and freedoms of the individuals are no longer likely to materialise.
  • A communication to the individual would involve disproportionate effort – i.e. where a public communication would be more appropriate in the circumstances. 

What to include in our notification  

• When we notify an individual who has been affected by a Data Breach, we must include the following information and document it for our internal records:
  • Name and contact details of our Data Protection Officer (if we have one appointed) or other point of contact;
  • The nature of the Data Breach (including the facts);
  • The likely consequences of the Data Breach; and
  • The measures we have taken and propose to take to address the Data Breach.  
    
    
• We should provide all required information to the individual at the same time unless this is not possible where we can provide this information in phases but without undue further delay. 

 

Appendix 2: Information for MHHS Industry participants

• Where an Industry Participant becomes aware that there has been any Personal Data breach in relation to MHHS Test Data (as defined in the BSC), the Industry Participant shall, as soon as reasonably practicable, notify the MHHS Programme.
  • The notification must be sent by completing the online form [3] and marked as Urgent: Potential Personal Data Breach
• The notification should take the form of the Data Breach Report Form.
• Taking into account the nature of the Processing and the information available to the Processor, the Processor shall provide all reasonably necessary assistance to Elexon in order to enable Elexon to comply with its Controller obligations under Data Protection Laws to notify the Information Commissioner’s Office (“ICO”) and Data Subjects.
• The Industry Participant shall not make any public statement in relation to a Personal Data Breach without the written agreement of Elexon, save where required by law.

[3] The form can also be accessed via the web browser (using the drop down menus on the top bar of the Collaboration Base: Collaboration Base>Testing>Test Data>Data Breach Reporting Process)

 

Appendix 3: Data Breach Report Form

Please complete this form in the event of a data breach:

To be completed by employee    

• Details of Breach:
  
  __________________________________________________________________________________________________________________________________________
• Name and contact details of the individual making the report:    
  
  __________________________________________________________________________________________________________________________________________
• Date and time the breach was identified and by whom:    
  
  __________________________________________________________________________________________________________________________________________
• Description of the breach including, but not limited to:
  • Personal data placed at risk by the breach;
  • Number of data subjects affected by the breach;
  • IT systems/equipment/records involved in the breach;
  • how the breach occurred; and
  • any mitigating features e.g. files encrypted/password protected    
    ___________________________________________________________________________________________________________________________________
    ___________________________________________________________________________________________________________________________________
    ___________________________________________________________________________________________________________________________________
    ___________________________________________________________________________________________________________________________________
• Description of any actions taken at the point of discovery:
  
  __________________________________________________________________________________________________________________________________________
• Who has been informed of the breach?  
  
   _________________________________________________________________________________________________________________________________________
• Any other relevant information:
  
  __________________________________________________________________________________________________________________________________________
  __________________________________________________________________________________________________________________________________________