-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add /help/report-a-data-breach
#1602
Comments
This sounds great - it'll help us get key data more quickly. Polite request: so that we can process these using our support tooling a wee bit faster, can we write some metadata into the message headers, much in the same way as the volunteer form? That could look something like:
|
This certainly sounds like a potential big improvement which can ultimately improve how quickly and how well we respond to serious issues. We should also consider in the forms design how to deal with cases where the authority can't find the request on our site, either because it is embargoed, has reduced prominence, hasn't been indexed, or is otherwise hard/impossible to find. In this situation, the best thing to ask for is the request's email address. I think it would also be good to signpost what to do for:
Some users may otherwise use the form if they end up on it, and it may not be asking appropriate questions. I wouldn't say we'd necessarily have to deal with these on the form, though it might be good, but we should signpost it. The last three aren't very common, I don't think, but I think the first is important to deal with. We'll want to encourage as much precision as possible as to where the alleged breach is. (I.E. not just request X, but message Y, attachment Z, line/page α, even if described by dates/times etc.) |
+1 - we could, perhaps, then pattern match it, once the form is submitted, so we can render relevant links in the message. That wouldn't be compulsory, of course. It might also be handy to link to the advice on recall messages - many public bodies use MS Exchange, and will often try to recall an email. It's a bad thing to do in these cases, as it often just magnifies the fact there is a problem. Letting the team know promptly is a better solution. As for the suggested signposting - also a +1, some boilerplate would probably help FOI / DP officers who use the form to understand what we can and can't give them right away, and what the next steps are, after a report is made. |
Just linking to #1208 as potential implementation inspiration, though may be easier/cleaner to create a new |
We now, following the adoption of a new policy on dealing with reports of "serious data breaches", have two different definitions for "serious data breach". We have:
I suggest not using the term "serious data breach" publicly if we mean something specific and instead say eg. "a data breach which a public body is required to report to the ICO" and "a data breach involving special category or criminal offence data". |
Is this form just for public bodies, or for everyone? I think it's for everyone, but we will point public bodies specifically to it? Consider making this a form which records if the user was logged in when they submitted it, this would enable us to know if the report was from a public body account. A question on the form could ask if the submission was being made on behalf of the public body responsible for the data breach.
What we really want is just an email address for contacting the Data Protection Officer. We don't need their name, and we don't really want their phone number.
Can it also be linked from the "report this request" form linked from request pages? Potentially related: |
@chrismytton where are we at with this? Do we have an update? |
@JenMysoc Apologies for the radio silence! Managed to get some time to work on this last week. Code is mostly working now, just need to tidy things up a bit and add some tests. Hoping to have something to share later this week. |
Well it took a bit longer than predicted, but there's now a pull request for this change here: #1696. All feedback welcome! @mdeuk Data breach emails will include a @RichardTaylor I've added a question about the type of data breach, based on your two definitions. We're also asking if they're reporting on behalf of the public body, and as you suggest we're just asking for the DPO's email, rather than name etc. As you can see the page still needs some copy adding to it, so any input or suggestions on that would be appreciated. |
From a process perspective, it would be helpful to collect all the information we need for the initial assessment of a data breach at the point we are first made aware of a potential issue. We want to create a dedicated contact form that we can point authorities to in an attempt to get better up front information.
The page will be a combination of help page and contact form.
Contact Form
The contact form should ask the public authority to:
It should submit to the configured
CONTACT_EMAIL
(i.e. our usual inbox). It should include something that allows us to easily identify that the message has come via this form (to auto-label it, etc).We should be mindful of spam. We might want to consider preventing external indexing of it.
It should be linked to from
/help/contact
via a bubble along the lines of "I work for a public authority and I'm reporting a data breach".We might also want to link to it from a custom section of the "report a request" page (via the "report" button on requests, messages, comments, etc)
Help Page
This help page should:
We should not presume that people using the form will know what Special Category information or Criminal Offence data are. We should ensure that this is clearly explained on the page where reports can be made.
Layout
I think a good structure for the page would be in 3 core sections:
Footnotes
Could use/integrate the existing "last request viewed" mechanics here, but we'd need to make sure that it's not the only way to submit links to the right content. ↩
The text was updated successfully, but these errors were encountered: