List of active policies

Full policy

SECTION 1: PURPOSE

Save the Children Philippines (“SCP”) is committed to using Personal Data responsibly and to ensuring that all Staff understand and comply with their responsibilities under this Data Protection Policy (“Policy”) and the law. This Data Protection Policy follows and is consistent with the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations (IRR), other issuances of the National Privacy Commission (NPC), and other relevant laws of the Philippines. SCP recognizes that the correct and lawful treatment of Personal Data is a critical responsibility. Failure to adequately protect Personal Data could result in harm to others, reputational damage, loss of income or fines for serious breaches.

This Policy sets out the principles SCP applies in handling and safeguarding Personal Data entrusted to SCP and sets out the obligations of staff in relation to Personal Data SCP holds or Processes. Each staff has a responsibility in securing and protecting the Personal Data in SCP’s care. 

This data protection policy ensures that SCP:

• complies with data protection law under the Data Privacy Act of 2012;
• follows good data protection practices;
• protects the rights of children and their families, employees, partners, volunteers, resource person, applicants, suppliers, and/or business contacts, among others;
• is open about how it stores and processes individuals’ data;
• protects itself from the risk of a data breach.

This Policy is mandatory for all Staff, and all Staff must read and comply with this Policy and any related procedures and guidance. 

SECTION 2: PRINCIPLES

Save the Children Philippines has developed this Privacy Policy to protect privacy and Personal Data collected and to demonstrate its commitment to keeping personal information collected safe. The Policy contains information about Save the Children's responsibilities, rights of data subjects, the information that may be collected by Save the Children Philippines, and how it will be used.

Personal information is any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. This includes sensitive information. The type of information collected will depend on the relationship with Save the Children Philippines. Personal information is collected from beneficiaries, partners, donors, members of the public, online users of the Save the Children Philippines website, and Save the Children Philippines personnel (including employees, officers, trustees, delegates, volunteers, candidates for volunteer work and prospective employees).

The primary purpose for collecting personal information from individuals is to provide services to children, including planning, funding, monitoring and evaluating our services. Save the Children Philippines takes reasonable steps to ensure that the personal information it collects, uses, retains or discloses is accurate, complete and up-to-date and is protected from misuse, interference, loss, unauthorized access, modification or disclosure.

SECTION 3: POLICY STATEMENT(S)

Personal Data Protection Principles

SCP must be able to demonstrate compliance with the following data protection principles:

• Lawfulness, Fairness and Transparency
  • Personal Data must be processed in a fair, lawful and transparent manner. The purpose for processing a person’s data should be determined and disclosed before its collection or as soon as practicable. The consent of the data subject on the collection and processing of his/her data should first be obtained, subject to exemptions provided by laws and regulations. In obtaining his/her consent, the data subject must be informed of the nature, purpose, and extent of the processing of such personal data, including the risks and safeguards involved, the identity of the personal information controller, his rights as a data subject as well as how these can be exercised. Information provided to a data subject must always be in clear and plain language to ensure that they are easy to understand and access.

• Legitimate Purpose
  • Personal Data must only be collected for specified, 
    explicit and legitimate purposes. The principle of legitimate purpose requires that the collection and processing of information must also be compatible with a declared and specified purpose, which must not be contrary to law, morals, or public policy. In other words, personal data should be processed fairly and lawfully.

• Proportionality
  • The principle of proportionality requires that the processing of personal information must be relevant to and must not exceed the declared purpose. The personal information may be retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained.

• Minimal
  • Processing Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are Processed. Where possible, SCP must apply anonymization to Personal Data to reduce the risks to the Data Subjects concerned

• Accuracy/Data Quality
  • Personal Data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are Processed, are erased or rectified in a timely manner.

• Storage Period Limitation
  • Personal Data must be kept for no longer than is necessary for the purposes for which the Personal Data are Processed.

• Integrity and Confidentiality
  • Appropriate technical or organizational measures must be adopted to ensure the security of Personal Data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized access, or disclosure.

• Accountability
  • Personal Information Controllers (PIC) must be responsible for and be able to demonstrate compliance with the principles outlined above.

All Staff shall adhere to these principles when Processing Personal Data. Any suggestions for improvements as to how SCP Processes Personal Data should be sent to the DPO.

Staff shall undertake data protection training within 3 months of joining SCP. This must be refreshed every 12 months, or more frequently if directed.

Lawfulness, Fairness and Transparency of Processing

Whenever Personal Data is Processed, there must be one of the following legal bases present:

• the Data Subject has given his or her Consent;
• b) the Processing is necessary for the performance of a contract with the Data Subject;
• the Processing is necessary to meet legal compliance obligations;
• the Processing is necessary to protect the Data Subject’s vital interests
  including his or her life and health;
• the Processing is necessary for the performance of a task carried out to respond to national emergency or in the public interest or safety;
• the Processing is necessary for the fulfillment of constitutional or statutory management of a public authority; or
• the Processing is necessary to pursue SCP’s legitimate interests.

Consent

SCP must identify and document the legal basis being relied on for each Processing activity. Where Consent is relied upon, SCP must ensure the following:

• Consent must be clearly indicated by a statement or positive action.
• Consent requires affirmative action, so a pre-ticked box would not meet this requirement.
• The Data Subject has the right to withdraw Consent at any time, and SCP must be able to honor this promptly.
• Whenever Personal Data Processing is based on the Data Subject's Consent, SCP shall retain a record of such Consent.
• Where collection of Personal Data relates to a child under the age of 18, and
• SCP is relying on Consent to Process that Personal Data, SCP must ensure that the child can understand the implications of the collection and processing of their Personal Data. Parental or guardian consent should be sought (unless this is not in the child’s best interests).
• Unless another legal basis of Processing is being relied upon, where Sensitive Personal Information is being collected, Express Consent of the Data Subject will be required to Process this data.

Children

SCP recognizes that children require specific protection with respect to their Personal Data. SCP shall ensure that the principle of fairness and the best interests of the child are central to all Processing of children’s Personal Data. Consent is one possible legal basis for Processing children’s Personal Data, but SCP recognizes other more appropriate basis (such as vital interests, legitimate interests or legal obligation).

Transparent Processing

• Privacy Notices
  • Either before or at the time of collection of any Personal Data, SCP is required to:
    • inform Data Subjects about what kind of Personal Data SCP collects;
    • the reason for collecting the Personal Data;
    • the purposes of the Processing; 
    • the legal basis which is being relied upon;
    • the Data Subjects’ rights in relation to the Personal Data; 
    • security measures taken in relation to the Personal Data;
    • whether SCP transfers Personal Data to third parties;
    • the retention period and any potential transfers of Personal Data outside the Philippines

SCP will provide this information to Data Subjects in privacy notices.

• Children
  • If Personal Data is collected from children, clear privacy notices must be specifically tailored for children, so that they are able to understand what will happen to their Personal Data, and what rights they have.

Data Retention

In general, Personal Data should only be retained/stored for as long as necessary for the purposes for which it was collected. There are, however, certain types of data which SCP must retain for a certain period. SCP will develop its Record Retention Schedule that will set out the specific retention periods for certain categories of data.

Privacy Impact Assessments (PIA)

The Information Owner must carry out a Privacy Impact Assessment (‘PIA’), using the SCP PIA_template when:

• planning or procuring any new system or Process involving the Processing of Personal Data,
• making any significant change to an existing system or Process, or
• planning to initiate or change a Process to collect, use or store any Sensitive Personal Data.

The Information Owner must ensure that the system or Process complies with the Personal Data Protection Principles (listed above in section 1) and minimizes any privacy 
risks. 

Records of all PIAs and approvals must be maintained. Any questions about the PIA Process should be referred to the DPO.

Data Subject Rights

Data Subjects (including children) have the following rights:

• Right to be informed
  • Data Subjects have a right to know about SCP’s Personal Data protection and data Processing activities, details of which will be contained in SCP’s privacy notices.

• Right of access
  • Data Subjects can request information about the Personal Data SCP holds about the Data Subject. They have the right to access specific details with respect to the processing of his/her personal information, the manner by which such data are processed and the designation or identity of the personal information controller.

• Right to object
  • Unless SCP has overriding compelling legitimate grounds for such Processing, Data Subjects may object to SCP using their Personal Data for direct marketing purposes (including profiling) or for research or statistical purposes and may also object if SCP is Processing their data on the grounds of legitimate interest.

• Right to erasure or blocking
  • Data Subjects have a right to suspend, withdraw, or order the blocking, removal or destruction of data held about them upon discovery and substantial proof of specified instances enumerated in the Data Privacy Act 2012 Implementing Rules and Regulations, unless SCP has reasonable grounds to refuse the erasure.

• Right to damages
  • Data Subjects may claim compensation for damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, considering any violation of his/her rights and freedoms as data subject.

• Right to rectify
  • Data Subjects have the right to dispute and have corrected any inaccuracy or error in the data SCP holds about them.

• Right to data portability
  • Data Subjects can ask SCP to provide copies of Personal Data held about them in a commonly used and easily storable format. It allows the Data Subjects to electronically move, copy of transfer their data in a secure manner for further use.

• Right to file a complaint
  • Data Subjects have the right to file a complaint with the National Privacy Commission if personal information has been misused, maliciously disclosed, or improperly disposed, or that any of the data privacy rights have been violated.

Subject Access Requests (SARs)

When requests from Data Subjects in relation to the Data Subject’s Rights listed above are received by a Staff member, the Staff member must immediately contact the DPO at legalservices.ph@savethechildren.org. The Staff member shall not respond directly or disclose any information to the Data Subject. 

Requests from Third Parties

If a request for information regarding data SCP holds is received from a third party (including the authorities or regulators), the recipient must not directly disclose any information to the requestor. The recipient should immediately notify the DPO at legalservices.ph@savethechildren.org and the DPO shall accordingly act on the request.

Transfer of Data to Third Parties

If SCP is using any third-party supplier or business partner (Supplier) to Process Personal Data on SCP’s behalf, the relevant Manager/Unit Head is responsible for ensuring that a contract is in place with the Supplier which meets the requirements of 
applicable data protection legislation. The relevant Manager/Unit Head should also ensure that the Supplier has agreed to adopt security measures to safeguard Personal Data that are appropriate to the associated risks. 

If SCP is Processing Personal Data jointly with an independent third party, SCP must explicitly agree in the contract with that third party what each party’s respective responsibilities are with respect to Personal Data.

Cross-border Data Sharing or Transfer

Before sharing or transferring Personal Data out of the Philippines, SCP must ensure that adequate safeguards are in place and the requirements under the Data Privacy Act of 2012 are complied with. 
New processes which potentially include transfers of Personal Data outside of the Philippines should not be initiated without prior consultation with the DPO and SCP Legal and Compliance Unit.

Data Security
It is important that SCP Staff keep all Personal Data safe and secure, whether held physically or electronically, and not disclose or allow access to unauthorised persons.

SCP will take steps to ensure that there are adequate administrative and technical measures to secure Personal Data held by SCP. SCP’s DPO will be responsible for reviewing SCP’s administrative measures. SCP’s IT Manager will be responsible for reviewing SCP’s technical measures under the supervision of the Director for Human Resource, Administration and IT. SCP will also take steps as an organisation to ensure that Staff, and others to whom this Policy applies, are aware of their obligations in relation to Personal Data generally and take security precautions.

Please refer to SCP’s Data Protection Manual and other related IT security policies which sets out in more detail the relevant precautions Staff are required to take to ensure data security, including the secure use of email, internet and mobile devices (e.g. 
phones, tablets, laptops).

Data Breaches and Notification

A Data Breach includes but is not limited to the following:

• unauthorised disclosure of Personal Data;
• loss or theft of confidential or sensitive data;
• loss or theft of equipment on which Personal Data is stored (e.g. loss of a laptop, USB stick, iPad/tablet device, or paper record);
• unauthorised use of, access to or modification of IT, data or information systems (e.g. via a hacking attack); and
• attempts (failed or successful) to gain unauthorised access to IT, data or information systems.

If any member of Staff, or other person learns of a suspected or actual Personal Data Breach, it must be reported to legalservices.ph@savethechildren.org immediately. The report should include as many details of the incident as possible, including date and time of the breach (if known), the nature of the information concerned, and how many individuals are involved.

IT Security will perform incident management and take appropriate remedial measures in a timely manner. 

Staff shall report any Data Breach within 72 hours of becoming aware of such breach. Refer to the Data Breach Reporting Timeline for more details.

Policy Breaches

If you suspect that this Policy may have been breached in any other way, please contact the DPO at legalservices.ph@savethechildren.org. Alternatively, you may wish to follow SCP’s Whistleblowing Policy and Procedures.

Breaches of this Policy and/or any law may result in disciplinary action. 

SECTION 4: DEFINITIONS

Word/Term	Definition
Consent	Refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
Data Protection Officer	The person required to be appointed in specific circumstances under the Data Privacy Act of 2012 (DPA).
Data Subject	Refers to an individual whose personal, sensitive personal, or privileged information is processed.
Information Owner	The person responsible for any Personal Data collected, held, used and/or stored.
Personal Data/Personal Information	It refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Personal Information Controller (PIC)	Refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes: A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or A natural person who processes personal data in connection with his or her personal, family, or household affairs; There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing. SCP will frequently be a data controller and remain responsible for Personal Data even if SCP is using a third-party Personal Information Processor (e.g. another organisation or individual such as a supplier, partner or contractor) to carry out the Processing.
Personal Information Processor (PIP)	Refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.
Personal Data Breach	Refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Privacy Impact Assessment (PIA)	A process undertaken and used to evaluate and manage impacts on privacy of a particular program, project, process, measure, system or technology product of a PIC or PIP program, project, process, measure, system or technology product of a PIC or PIP. This is an instrument for assessing the potential impacts on privacy of a process, information system, program, software module, device or other initiative which processes personal information and in consultation with stakeholders, for taking actions as necessary to treat privacy risk. These  are Tools and assessments used to identify and reduce risks of a data Processing activity.
Process/Processing	Refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system.
Sensitive Personal Information	Refers to personal information: About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and Specifically established by an executive order or an act of Congress to be kept classified.
Staff	All types of employees of SCP regardless of the type of employment or contractual arrangement.
Relevant Manager	A unit head, manager, or relevant officer managing the collection of personal data.

SECTION 5: RELATED DOCUMENTS

1	Policies: Child Safeguarding Policy Code of Conduct Whistleblowing Policy and Procedure Other relevant IT or IT Security Policy/ies Data Privacy Act of 2012 related policies, procedures and guidance: SCP_Data_Breach_Management_Procedure SCP_Data Breach Management Timeline SCP_Data_Protection Manual SCP_Privacy Impact Assessment (PIA) Template SCP Consent Forms
2	Human Resources Employee Privacy Notices Disciplinary Action Policy
3	Other References SCI Data Protection Policy Intra STC Data Transfer and Security Agreement Framework Notice of Adherence to the Intra STC Data Transfer and Security Agreement

Full policy

PURPOSE 

The purpose of this policy is to provide SCP-wide guidance to all staff on proper response to, and efficient and timely reporting of, computer and non-computer security related incidents, such as, but not limited to unauthorized user activity, data intrusion and all related data privacy violations under the Data Privacy Act of 2012 that will compromise the personal data collected by SCP. It also addresses non-IT violation on the physical data that SCP is currently handling.

SCOPE

Applicability

This policy and procedure apply to all users throughout Save the Children Philippines(“SCP”), whether employees/staff, officers, trustees, volunteers, partners, suppliers, contractors, consultants, third party service providers (Personal Information Processors), and outsourced personnel, who use, process and manage information from individual systems or servers and other manual data processing systems.
They are required to be aware of and follow this procedure in the event of personal data breach. 

Policy and Procedure Documentation

This document is the formal documentation of the SCP Breach and Security Incident Management Policy and Procedure (DBSIMPP).

Document Control

The DBSIMPP document and all other referenced documents shall be controlled. Version control shall be ensured to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two (2) years for legal and knowledge preservation purpose.

Records

Records being generated as part of the DBSIMPP shall be retained for a period of two (2) years or may be longer whenever applicable. Records shall be in hard copy or electronic media. The records shall be owned by the respective Process Owners with a copy to the Data Protection Officer and shall be audited once a year.

Distribution and Maintenance

The DBSIMPP document shall be made available to all personnel and other stakeholders of SCP covered in the scope or the process involved. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance 
responsibility of the document shall be with the Data Protection Officer (DPO) and Chief Executive Officer.

Confidentiality

The DBSIMPP document shall be considered as confidential document and shall be made available to the concerned persons with proper access control. 

Role and Responsibility of the Data Protection Officer (DPO)

• • The DBSIMPP shall be implemented by the DPO who has the overall responsibility for data security incident and data breach management process. The primary responsibilities associated with the security/breach management are to identify and respond to suspected or known security incidents, contain or limit the exposure to loss, and mitigate, up to the extent practical, the harmful effects of security incidents that might affect the data subject’s rights.
  • The DPO and/or the Information Technology (IT) Unit will manage incidents at the facility level and will alert the Chief Executive Officer of potential organization wide threats. The nature of the incident may require the assignment of staff from other units/offices. In all cases, units/offices shall be informed of the incident and the steps recommended or taken to mitigate the incident.
  • Ensure that these security/breach management policies and procedures are complied with and duly implemented.

SECURITY INCIDENT/DATA BREACH MANAGEMENT POLICIES

The DPO shall ensure that:

• • Incidents are detected as soon as possible and reported to the DPO.
  • All incidents shall be duly recorded and documented. The full extent and implications relating to an incident must be duly analyzed and understood.
  • All evidence is gathered, recorded and maintained in the Security Incident Reporting Form that will withstand internal and external scrutiny.
  • Incidents are handled by appropriate authorized personnel with skilled backup as required.
  • Incidents are dealt with in a timely manner and service(s) restored as soon as possible.
  • The risk to SCP’s reputation through negative exposure is minimized.
  • Any weaknesses in procedures or policies are identified and addressed.
  • Learnings from the incidents are recorded.
  • Similar incidents will not recur.

These policies and procedures shall apply throughout SCP affecting all information resources, data stored and processed on those systems, data communication and transmission media, and personnel who use information resources.'

IMPLEMENTATION

The DPO shall initiate the development, maintenance and implementation of the incident management and response plan to address data security incidents based on the following incident management plan requirements: 

• Incident Management Training - This shall provide incident management training to the units/offices on how to identify and report security incidents.
• Identifying and Prioritizing Types of Incidents - This will be undertaken to develop and maintain guidelines for identifying and prioritizing security incidents. The Units/Offices or their affiliated staff designated by agreement or assignment shall evaluate the potential for the occurrence of certain types of incidents. All security incidents shall be classified by severity level and type. In addition, each incident shall be identified as to type: email, hacking, virus/worm, inappropriate use, social engineering and even non-IT-related incidents such as improper use of physical personal data, i.e. forms and other printed materials.
• Incident Monitoring - The DPO shall develop and maintain guidelines on how to monitor security incidents. (See attached excel file: SCP Incident Assessment Involving Personal Data). The Units/Offices or their affiliated staff designated by agreement or assignment, as part of their risk management program, shall continuously monitor security incidents (both physical and IT – related incidents) 
  according to prescribed guidelines. 
• Incident Detection - SCP shall develop and maintain organization-wide procedures for collecting, analyzing and reporting data. (See attached excel file as reference: SCP Incident Assessment Involving Personal Data). The integrity of all data relating to criminal acts must be preserved as evidence and will be collected using generally accepted data privacy policies and procedures. The forensic procedures to be followed will be developed and disseminated by the DPO.
• Incident Reporting - The DPO shall define the basic procedure to be followed for reporting incidents. The procedure may be expanded by the Units/Offices as necessary to include the internal communications and escalation procedures that will be used. Security incidents classified as level 3, 4, or 5 in the Privacy Impact Assessment shall be reported to the DPO and the designated unit/office information security officer within a period of 12 hours from the time the incident was discovered. (See attached excel file as reference: SCP Incident Assessment Involving Personal Data). The DPO is responsible for reporting the incidents to the Chief Executive Officer. If a security incident concerns Sensitive Personal Information (SPI) and the incident is deemed reportable to the National Privacy Commission as defined in the Data Privacy Act of 2012 and its IRR, the DPO shall be responsible in submitting the report to the Commission. 
• SCP-Security Incident Response Team (SIRT) - The DPO shall make the recommendation for the establishment of the SIRT for the approval of the CEO. The DPO will work with the Units/Offices to develop a cross-functional incident response team that will handle a variety of incidents. The roles and responsibilities of the team members will be clearly defined. The SIRT shall be adequately staffed 
  and trained to handle the incident(s). Since incidents may be far-reaching, requiring expertise or authority that does not reside within a unit/office, the SIRT may include outsourced vendors, internal and external entities, as well as other key facility/agency personnel, if necessary.
• Organization Protocols - Security incidents may occur across network boundaries. The DPO shall define the protocols for handling these incidents and the contacts between Units/Offices and outsourced entities. 
• Impact Assessment - The DPO shall evaluate the impact of security incidents. Assessments may be required at various stages of the incident life cycle to assist the SCP management in deploying the proper risk management strategy. 
• Incident Handling and Escalation Procedures - The DPO shall develop and maintain the primary procedures for handling the containment, eradication and recovery aspects of incidents and the guidelines for development of an escalation procedure. The Units/Offices shall develop escalation procedures that are tailored to their individual circumstances. (See attached excel file as reference: SCP Incident Assessment Involving Personal Data).
• Documentation - All security incidents shall be thoroughly documented by the Units/Offices with as much detail as possible to describe the incident, time discovered and impacted area for subsequent investigation. The incident report shall indicate who was notified and what actions were taken. The DPO may be called on to assist in the documentation process. 
• Record Retention - The Quezon City Office, and each of the Field Offices shall maintain the incident logs and corresponding documentation for a minimum of one (1) year following the discovery of an incident or until an investigation is completed. Incident logs should be stored in a secure location.
• Post-Incident Analysis - The post-incident analysis provides feedback to improve the existing process and its related procedures. Following actions taken to resolve each security incident, an analysis shall be performed by the DPO and the impacted unit or office, with assistance of their affiliated staff designated by agreement or assignment, to evaluate the procedures taken and what further steps could have been taken to minimize the impact of the incident. 
• Data Security Emergency Planning - If an incident occurs that impacts the safety of the personnel and facilities, or results in a situation where unit services are interrupted for an extended period of time, the incident may be declared an emergency. The DPO shall work with the government agencies (i.e. NBI or PNP) to provide guidelines regarding the criteria for identifying an emergency and notification procedures. The Units/Offices shall develop the appropriate procedures for identifying and declaring data security emergencies using the established Business Continuity Plan as can be seen also under their respective Privacy Impact Assessments.
• Media Relations - Serious security incidents that are likely to result in media attention shall be reported immediately to the Chief Executive Officer.

ENFORCEMENT

Any employee found to have violated this policy may be subjected to disciplinary action in line with the SCP Disciplinary Policy.