arrow_back All policies

Data Breach Response Procedure

How we identify, contain, assess and report personal data breaches.

Version 1.0 · 5 May 2026 · Adopted 19 May 2026

1. Purpose

This procedure sets out what officers, volunteers and contractors of Tenpin Ireland should do if they become aware of, or suspect, a personal data breach. It is designed to meet our obligations under Articles 33 and 34 GDPR, including the requirement to notify the Data Protection Commission within 72 hours where a breach is likely to result in a risk to the rights and freedoms of individuals.

2. What is a personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. There are three classic types:

TypeWhat it meansExamples in our context
Confidentiality breachPersonal data is disclosed to, or accessed by, someone who is not authorised to see it.An email containing member contact details is sent to the wrong distribution list. A member registration spreadsheet is left visible on a shared screen.
Integrity breachPersonal data is altered without authorisation.A member’s details are changed by mistake or maliciously and the original is lost.
Availability breachPersonal data is destroyed or made temporarily inaccessible.A laptop holding the only copy of vetting records is lost. A ransomware incident locks access to the membership database.

All three types are personal data breaches. Loss of access (for example, a database becoming temporarily unavailable) can be a breach even if no data is disclosed externally.

3. Roles

  • Anyone who notices a breach: reports it without delay.
  • The Data Protection Officer (DPO): leads the assessment, decides on notification, drafts any DPC and data subject notifications, and updates the Breach Log.
  • The Chairperson / President: is informed of all reportable breaches and approves any external communication. Acts as escalation point if the DPO is unavailable.
  • The Children’s Officer / DLP: is involved in any breach affecting juniors’ data.
  • The IT volunteer / service provider: supports containment and recovery.

4. The five steps

Step 1 — Report (immediately)

Anyone who becomes aware of, or suspects, a personal data breach must report it without delay to:

The report should describe what happened, when it happened (or was discovered), what personal data is involved, who might be affected, and any immediate actions already taken. Do not delay the report in order to gather a complete picture — a partial report is better than a late one. The 72-hour clock starts when Tenpin Ireland ‘becomes aware’ of the breach.

Step 2 — Contain

As soon as the breach is reported, those involved (with support from IT) take immediate steps to contain it. Examples:

  • Recall an email sent in error and ask recipients to delete it.
  • Reset compromised passwords and revoke active sessions.
  • Remove a misconfigured document from public access.
  • Take a system offline if continued operation is creating further exposure.

All containment actions are documented contemporaneously.

Step 3 — Assess

The DPO assesses the breach and assigns it a triage level. The assessment considers:

  • The type of breach (confidentiality, integrity, availability).
  • The nature, sensitivity and volume of personal data involved.
  • Whether children’s data or special category data is involved.
  • Whether data subjects can be identified.
  • The severity and likelihood of consequences for data subjects.
  • Whether containment has eliminated the risk.
LevelWhen it appliesWhat we doTiming
LowUnlikely to result in a risk to the rights and freedoms of any individual.Internal record only. No DPC notification. No data subject notification.1–3 days
StandardLikely to result in a risk to the rights and freedoms of one or more individuals.Notify the DPC within 72 hours of becoming aware (Article 33). Consider data subject notification on a case-by-case basis.Within 72 hours
HighLikely to result in a high risk to the rights and freedoms of one or more individuals — e.g. financial, identity, safeguarding, or significant distress.Notify the DPC within 72 hours and notify affected individuals without undue delay (Article 34). Consider proactive support.Within 72 hours

Breaches involving juniors’ data are escalated as follows:

ScenarioDefault triage
Junior member contact details exposedAt least Standard, often High
Junior performance / health data exposedHigh
Photographs or video of identifiable juniors disclosed wronglyHigh
Vetting or safeguarding records affectedHigh — also engage the Children’s Officer / DLP

Step 4 — Notify

4.1 Notifying the Data Protection Commission. Where the breach is Standard or High triage, the DPO submits a notification to the Data Protection Commission within 72 hours of the time Tenpin Ireland became aware of the breach. The notification is made through the DPC’s online breach notification webform on www.dataprotection.ie. If complete information is not available within 72 hours, we submit what we have and provide the remaining details in phases, marking the notification as such.

4.2 Notifying affected individuals. Where the breach is High triage — likely to result in a high risk to rights and freedoms — we also notify affected individuals (or their parents, where the data subjects are children) without undue delay. The notification:

  • Is in clear and plain language
  • Describes the nature of the breach
  • Provides the DPO’s contact details
  • Describes the likely consequences
  • Describes the measures taken or proposed to address the breach and mitigate its effects

4.3 Notifying others. Where appropriate, we also notify:

  • Sport Ireland, where the breach is significant or involves NGB-level data
  • Tusla and An Garda Síochána (if applicable, PSNI), where the breach raises a child protection concern
  • Our insurers, in line with any policy obligations
  • Service providers and processors who may need to act

Step 5 — Record and learn

Every breach — whether reportable or not — is recorded in the Tenpin Ireland Data Breach Log. The Log is held securely by the DPO and is reviewed at each Executive meeting in summary form. Following any reportable breach, the DPO conducts a short post-incident review and identifies any changes needed to policy, procedure, training, or technical controls. Lessons are reported to the Board.

5. The Breach Log

The Breach Log is the master record of breaches and near-misses. For each entry it captures:

  • Reference number and date opened
  • Date and time of breach (and date of awareness)
  • Description of what happened
  • Personal data and data subjects involved
  • Triage level and rationale
  • Containment actions taken
  • Whether the DPC was notified, when, and the reference number
  • Whether data subjects were notified, when, and how
  • Lessons learned and any actions
  • Date closed

6. Common scenarios and what to do

6.1 Email sent to the wrong recipient

  1. Email recipient(s) you didn’t intend; ask them to delete the email and confirm.
  2. Recall the message if your email system supports it.
  3. Notify the DPO with the details.
  4. Assess: how many recipients, what data, are children involved.

6.2 Lost or stolen device holding member data

  1. Notify the DPO and IT immediately.
  2. Trigger remote wipe if available; revoke any cloud sessions.
  3. Change passwords for accounts that might have been accessible.
  4. Report to An Garda Síochána / PSNI if appropriate.

6.3 Suspected unauthorised access to a system

  1. Reset credentials and revoke active sessions.
  2. Engage IT / the service provider to investigate.
  3. Preserve logs.
  4. Notify the DPO.

6.4 Misconfigured public document or webpage

  1. Remove the document or page from public view.
  2. Check whether it has been cached, indexed or downloaded.
  3. Notify the DPO with what was exposed and for how long.

7. Confidentiality

All personal data breaches are handled confidentially. Information about a breach is shared only with those who need to know in order to assess, contain, notify, or remediate. The DPO and the Chairperson / President keep the Board appropriately informed.

8. Training

This procedure is included in the briefing given to officers, volunteers, coaches and team managers. The DPO maintains a short, practical summary card listing what to do in the first hour after a suspected breach.

9. Review

This procedure is reviewed at least annually by the DPO and the Board, and after any significant breach.

10. Adoption

This Data Breach Response Procedure was adopted by the Executive Board of Tenpin Ireland on 19 May 2026.