Data Breach Policy

Last updated: July 2025

1. Purpose & Scope

This policy outlines the procedures Cititec Talent Ltd will follow when responding to any actual or suspected personal data breaches. Our response will be in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy applies to all employees, contractors, and any third parties who handle personal data through Cititec Talent’s systems, including (but not limited to) our primary ATS, Bullhorn. It covers all forms of personal data held in any format (electronic or paper) that relate to job candidates, clients and/or employees. The aim is to ensure prompt and effective action to protect individuals’ personal data and uphold our legal responsibilities. 

2. Definitions

  • Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data.
  • Personal Data: Any information relating to an identifiable person, including candidate CVs, contact details, interview notes, or client data.
  • Confidential Systems: Primarily Bullhorn, used for storing and managing candidate and client data.
  • Examples include: loss or theft of a device containing personal data; hacking or malware attacks; sending personal data to the wrong recipient; unauthorised access by a staff member or third party. 

3. Responsibilities

  • All Staff: Must report any suspected or confirmed breach immediately to the Data Protection Officer (DPO). The current DPO is Candice Dennison and they can be contacted on [email protected] or 020 7608 5806.
  • Data Protection Officer: Responsible for investigating, reporting, and responding to data breaches.
  • Senior Management: Provide oversight and resources to manage breaches effectively.

4. Breach Reporting Procedure

1.  Identification & Initial Report

  • All staff must report any data breach or security incident immediately to the DPO or senior manager.
  • This includes incidents involving Bullhorn (e.g., data shared in error, system compromise, lost devices with Bullhorn access).
  • Reports should include the date and time of the incident, the nature of the breach, categories of data involved, number of individuals affected (if known), and any initials steps taken by the reporter. 

2. Initial Assessment & Containment (within 24 hours)

  • DPO to:
    • Log the incident in the Data Breach Register;
    • Assess the type and volume of data affected;
    • Assess the systems involved (e.g., Bullhorn, email, shared drives)
    • Assess the risk to individuals (clients, candidates, employees)
  • Immediate containment: e.g., lock accounts, change passwords, restrict access. DPO to take all necessary action to limit further data loss, recover lost data where possible, and secure systems and remove any ongoing vulnerabilities. 

3. Notification Requirements

  • Information Commissioner’s Office (ICO):  DPO to notify them within 72 hours if breach poses a risk to individual rights/freedoms.
  • Data Subjects: Notify without undue delay if there’s likely to be a high risk.

4. Investigation and Documentation

  • Full investigation into cause, impact, and steps to prevent recurrence.
  • All breaches logged, including non-reportable incidents.

5. Specific Guidance for Bullhorn Breaches

If a breach involves Bullhorn (e.g., unauthorised access, erroneous data sharing, phishing attack on Bullhorn account):

  • Confirm the scope: How many records? What type of data? Was CV or sensitive client data exposed?
  • Engage Bullhorn support if a system-level issue is suspected.
  • Consider revoking user access, resetting passwords, and auditing login history.

6. Communication Templates

  • ICO Notification via https://ico.org.uk
  • Data Subject Notification: Clear explanation of breach, recommended actions, and contact for further assistance.

7. Record-Keeping

  • Cititec Talent will maintain a record of all personal data breaches, regardless of whether or not they are reportable to the ICO. This includes facts relating to the breach, effects of the breach and action taken to address it.

8. Training & Testing

  • Mandatory annual training on data security and breach reporting, including use of Bullhorn.
  • Regular scenario testing to ensure readiness.

9. Policy Review

Reviewed annually or after any significant incident.

Last updated: July 2025