This procedure sets out how Inkfinity Print Solutions Ltd responds to personal data breaches and security incidents affecting the Care App platform, in line with our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Purpose
Inkfinity Print Solutions Ltd ("we", "us") acts as a data processor on behalf of care organisations ("controllers") that use the Care App platform. This document describes the steps we take when a data incident is identified, including how and when we notify affected controllers and the Information Commissioner's Office (ICO).
2. What Counts as an Incident
An incident includes but is not limited to:
- Unauthorised access to personal data (e.g. account compromise, hacking)
- Accidental disclosure of personal data to the wrong person
- Loss or theft of data
- Ransomware or malicious software affecting data integrity
- A system outage that prevents authorised users from accessing data
- Accidental deletion of personal data
3. Roles and Responsibilities
| Role | Person / Organisation |
|---|
| Data Controller (per client) | The subscribing care organisation |
| Data Processor | Inkfinity Print Solutions Ltd |
| Incident Lead | Jamie, Inkfinity Print Solutions Ltd |
| Director | Amy Lawson, Inkfinity Print Solutions Ltd |
4. Incident Response Steps
Step 1 — Detect and Report (Hour 0)
- Any person who identifies or suspects a breach must report it immediately to hello@care-app.uk
- The Incident Lead is notified and takes ownership
Step 2 — Contain (Hours 0–4)
The Incident Lead will:
- Assess the nature and scope of the incident
- Take immediate steps to contain it (e.g. revoke compromised credentials, suspend affected accounts, isolate affected systems)
- Preserve evidence — do not delete logs or attempt to alter records
Step 3 — Assess (Hours 4–24)
Determine:
- What personal data was involved (type, volume, sensitivity)
- Whose data is affected (clients, staff, or both)
- Whether the breach is likely to result in a risk to individuals' rights and freedoms
- Whether it is likely to result in a high risk (which triggers direct notification to affected individuals)
Step 4 — Notify the Client (Within 24 Hours)
- Notify the affected subscribing organisation (data controller) within 24 hours of confirming a breach
- Provide: what happened, what data was affected, what steps have been taken, and what they need to do next
- Supply a written incident report by email
Step 5 — ICO Notification (Within 72 Hours of Discovery)
If the breach is likely to result in a risk to individuals:
- Report to the ICO at ico.org.uk/report-a-breach within 72 hours of discovery
- Include: nature of breach, categories and approximate number of individuals affected, likely consequences, measures taken or proposed
- If notification cannot be made within 72 hours, submit what is available and provide reasons for the delay
Step 6 — Notify Affected Individuals (If High Risk)
If the breach is likely to result in a high risk to individuals:
- Notify affected individuals directly without undue delay
- Communicate clearly in plain English what happened and what they should do (e.g. change passwords, monitor accounts)
Step 7 — Review and Close
- Document the full incident in the Incident Log
- Review what caused the breach and implement measures to prevent recurrence
- Update this procedure if required
5. Severity Levels
| Level | Description | Example | ICO Report? |
|---|
| Low | No personal data exposed; internal only | Failed login attempt blocked | No |
| Medium | Limited personal data exposed; low risk | Record accidentally emailed to wrong internal address | Assess |
| High | Personal data exposed; risk to individuals | Account compromised; health records accessed | Yes (within 72 hrs) |
| Critical | Large-scale breach; high risk | Database exfiltration; ransomware | Yes + notify individuals |
6. Incident Log
All incidents, regardless of severity, are recorded internally with the following details: date and time discovered, description of the incident, data categories and volume affected, containment actions taken, whether the ICO was notified, whether individuals were notified, root cause, and preventative measures implemented.
The Incident Log is maintained by Inkfinity Print Solutions Ltd and is available to client organisations on request.
7. Contact
To report a suspected data incident:
We aim to acknowledge all incident reports within 4 hours during business hours (Monday–Friday, 9am–5pm).
8. Review
This procedure is reviewed annually or following any significant incident or change to applicable legislation. Next review due: April 2027.