Legal Precedents

Statement by [ insert name of organisation ] concerning a significant [ cyber-attack OR data protection breach ] on [ insert date ] On [ insert date ], we became aware of an event that posed a risk to the security of personal data in our care. [ We OR [ Insert name of investigating party—eg the Metropolitan Police or the Information Commissioner’s Office ] ] [ have OR has ] initiated [ a OR an ] [ criminal ] investigation. We are collaborating with forensic specialists and other data security professionals to determine the source, nature and scope of this incident. We are undertaking a detailed review of the incident. We are also working closely with [ our insurer, ] [ the Information Commissioner’s Office, ] [ insert name of any relevant professional regulator or trade body, ] [ major financial...

1 General information Monitoring review date [ insert date ] Individual overseeing the monitoring review [ insert name and job title ] 2 Volume of data breaches identified and reported Consult your Data breach register for the previous 12 months and provide the required details below......

If you become aware of, or suspect, a personal data breach has taken place, please do the following: complete this form; and email it or deliver it to the [ insert, eg the data protection officer ], making sure the email or the form is clearly marked as urgent With data breaches, acting swiftly is critical. You must submit this report immediately once you know of, or suspect, a data breach......

1 General information Review date [ enter date of review ] Date of previous review [ enter date of last review ] Reviewer(s) [ enter name(s) or role(s), eg data protection officer ] 2 Review and findings Is your data processing register current? ☐ Yes ☐ No If No, make sure you note an action in section 3 below Have you carried out a data protection risk assessment since the previous review? ☐ Yes ☐ No If No, ensure an action is recorded in section 3 below Have you undertaken an information security review since the previous review? ☐ Yes ☐ No If No, set an action in section 3 below Are the policies listed below up to date and suitable for purpose?......

1 Purpose and application 1.1 This policy outlines the measures you are required to take in order to safeguard personal data and confidential information. 1.2 This policy covers all members of staff. 2 Responsibility 2.1 [ State who ] is accountable for this policy. 2.2 They are tasked with communicating the contents of this policy to all staff, ensuring compliance, keeping the policy under review, and arranging any amendments or updates to the policy. 3 Requirements—do 3.1 If you will be away from your desk for a prolonged period, make sure you have taken reasonable steps to prevent unauthorised access to confidential information......

Please select to obtain an Excel version of this register. The register (often referred to as a data breach log) mirrors the reporting and recording obligations under Assimilated Regulation ( EU) 2016/679, the UK General Data Protection Regulation ( UK GDPR). It can be used to help you record, manage and monitor data breaches. It will ensure you capture the information you are required to record under the UK GDPR, as well as the information you will need to notify a data breach to the Information Commissioner’s Office ( ICO) and/or affected data subjects. This register has been prepared in Excel and therefore it cannot be downloaded to Word. See also Precedent: Personal data breach plan. Requirement to keep a record You are required to document any personal data breaches—record the facts relating to each personal data breach, its effects and the remedial action...

1 Introduction This personal data breach plan: requires staff to report actual or suspected personal data breaches; and outlines our procedure for dealing with and documenting actual or suspected breaches. This plan applies to all staff [ in the UK ], and to all personal data and special category personal data held by [ insert organisation’s name ]. It supplements our policies relating to [ insert policies, eg data protection, information security and any other relevant policies ]. Key terminology used in this plan includes: Personal data breach: A data security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is transmitted, stored or otherwise processed; for example, accidental loss, destruction, theft, corruption or unauthorised disclosure of personal data. Personal data: Information about a living person who can be identified, directly or...

1 Management and organisational information security ICO expectation and current status Further details: Lexis Nexis® Precedents Your business identifies, evaluates and controls information security risks Not yet implemented or planned Partially implemented or planned Successfully implemented Not applicable Before deciding the right level of protection for your organisation, audit the personal data you hold and gauge the threats to it. Review every stage of handling: collection, storage, use, sharing and disposal. Weigh the sensitivity or confidentiality of the data and the potential harm or distress to people, alongside any reputational impact on your business, if a breach occurred. With this understanding, select security controls proportionate to your needs. Embedding data protection by design also means undertaking a data protection impact assessment ( DPIA) in defined scenarios to evaluate privacy risks. You must complete a DPIA prior to...

1 Introduction This policy explains how we make sure: a uniform naming convention is used for all [ paper and ] electronic files; all electronic documents are suitably stored and accessible; staff have the latest version of any document; and changes to documents can be monitored through version numbering. 2 File [ and matter ] naming convention [ Set out your file and, where appropriate, matter naming conventions. You may choose different file and matter naming conventions for internal files and client/customer-facing files ] 3 Document naming convention Each electronic iteration of a document must be named so that it can be easily identified and, if required, located by search. Each document name should state the: [ matter OR customer [ name AND/ OR reference ] ] [...

1 Data breach team The initial action is to convene a team to handle and respond to the breach. Data breach team lead [ insert the name or description of the person who will lead the data breach team, eg DPO ] [ Data protection officer ( DPO) ] [ [ insert name ] ] Head of legal [ insert name ] Head of compliance [ insert name ] Head of IT [ insert name ] [ insert any other, eg head of HR if the breach involves employee data ] [ insert name ] 2 Background information Refer to the Data breach report form, if appropriate......

1 Preliminary screening 1.1 Guidance Some forms of fraud must be both reported and handled appropriately and promptly; for instance, suspicions of money laundering should be submitted through a Suspicious Activity Report ( SAR) to secure protection under the Proceeds of Crime Act 2002, while someone raising concerns about fraud would ordinarily use our Whistleblowing procedures to receive statutory whistleblowing protection accordingly... 1.2 Actions If the suspected fraud includes any aspect of money laundering, terrorist financing, or proliferation financing, including but not limited to situations that may occasionally arise with, eg, mortgage or property transactions, consult the nominated officer to decide whether a SAR is necessary. Where bribery or corruption is suspected, consult [ insert name or title of person in charge of anti-bribery process ] in accordance with our Anti-bribery and corruption policy. If the suspected fraud could have been committed by a member of staff, a...

Any organisation can be the victim of fraud, regardless of size, sector, location or any other characteristic. Fraud may arise from outsiders, yet it can equally originate within an organisation, through employees or others engaged with us. Under the ‘failure to prevent fraud’ offence created by the Economic Crime and Corporate Transparency Act 2023, a company can face criminal liability if an employee, agent, subsidiary or other ‘associated person’ perpetrates fraud with the intention of benefiting the organisation (or, in some cases, its customer) and the organisation lacked reasonable anti-fraud procedures. This document constitutes a component of our measures and procedures designed to stop those linked to our organisation from committing fraud offences. Our employees and agents are our foremost and strongest line within this framework......

What are bribery and corruption? Corruption, in broad terms, is the misuse of entrusted power through dishonest conduct to secure personal or commercial benefit. Bribery is a form of corruption and, in a business setting, refers to any advantage—financial or otherwise—offered or accepted with the aim of rewarding or prompting the improper performance of a public, business or employment-related task. Performance is improper where there is an expectation that the activity will be undertaken in good faith, yet it is carried out in a way that breaches that expectation. What are the four offences under the Bribery Act 2010 ( BA 2010)? BA 2010 sets out four principal bribery offences: bribing another person requesting or accepting a bribe bribing a foreign public official failing to prevent bribery (this applies only to businesses) Who can be involved in...

1 General details Internal SAR reference code [ Enter internal SAR reference code ] Client name [ Enter client name ] Date [ Enter date ] Client/matter reference code [ Enter client/matter reference code ] Internal SAR filed by [ Enter name of person who filed the internal SAR ] Person handling......

We conduct our operations with integrity. Together, we each share responsibility for keeping our business free from bribery and corruption. This FAQ, central to that mission, explains how we can reach our commercial objectives in a way that aligns fully with our determination to prevent bribery and corruption. It serves as a practical guide so we work collectively to keep our activities untainted. What is a facilitation payment? A facilitation (or grease) payment is an unofficial sum given to secure or accelerate the performance of routine, non-discretionary government actions. These are nominal amounts commonly paid to lower-level public or government employees to help speed up a legitimate, permitted process that might otherwise take much longer to complete......

We conduct our business [ es ] with integrity. It is up to all of us to ensure our business [ es ] remain [ s ] untainted by financial crime, including bribery and corruption, the facilitation of tax evasion, and fraud. This FAQ, central to that mission, sets out how we can pursue our objectives while staying true to this commitment... 1 Who are agents and intermediaries? Agents and intermediaries are external parties engaged to deliver services for or on behalf of [ insert organisation’s name ] or to act in our interests. They may include: business consultants; sales representatives; third parties appointed in connection with government-related work or activities; introducers, facilitators, or other third parties who may perform services for or on behalf of [ insert organisation’s name ] in any capacity. [ insert, eg Our Agents and...

1 General Name [ Enter the name of the assessor ] Job title [ Enter job title ] Date [ Enter date ] 2 Evaluation Are you content that suitable due diligence......

Agents and intermediaries Agents and intermediaries are third parties engaged to deliver services for or on behalf of [ insert organisation's name ] or to act in our interests. Working with agents/intermediaries raises concerns around bribery, corruption, fraud, facilitation of tax evasion and financial crime more broadly, as we can be held liable for criminal conduct by those agents/intermediaries. There is also a risk that financial crime issues may arise from actions taken by another party within a supply chain. Therefore, when we appoint anyone to act for us, we must ensure we understand the financial crime risks involved. In all cases, we should carry out thorough due diligence so that potential criminal risks are identified, considered and addressed. Online due diligence can be used both to gather information and to verify and validate details sourced elsewhere, including directly from the...

This Flowchart acts as guidance for personnel involved in the anti-bribery and corruption due diligence process when appointing or overseeing agent or intermediary relationships......

We conduct our business [ es ] with integrity. We must all work together to ensure our business [ es ] [ remains OR remain ] free from financial crime. The points below outline factors we believe heighten the likelihood of improper conduct by an agent or intermediary. Non-fatal red flags can be addressed through further due diligence. Fatal red flags are so serious and present such a high risk that they cannot be resolved and result in the immediate ending of existing business relationships or the engagement process. For more information, see our [ Agents and intermediaries policy and Due diligence flowchart ]. FATAL red flags NON- FATAL red flags Any past convictions for financial crime offences, eg bribery, facilitation of tax evasion, or fraud. The agent/intermediary has at any time asked another organisation to produce sham invoices or other forms of false...