City Research Online

A triage playbook: privacy harm and data incident response in the UK

Devey, C. S. H. (2019). A triage playbook: privacy harm and data incident response in the UK. (Unpublished Doctoral thesis, City, University of London)


Personal data incidents have become a serious concern in almost every industry. In the UK, the TalkTalk data breach in October 2015 generated headline news and raised public awareness of data breaches. Under the EU General Data Protection Regulation (GDPR), organisations in the UK are held accountable for reporting data breach incidents to the Information Commissoner’s Office (ICO) within 72 hours. Furthermore, organisations are required to notify the ICO and to communicate with affected individuals where there is high risk. However, the triggers or criteria for what constitutes a general risk and a high risk are not clear. Researchers have pointed out that privacy impact assessments (PIA) and breach notifications are new concepts. There is no universal PIA framework which could be used for comparative privacy risk analysis. Security-related literature on PIA primarily addresses the prevention of harm through technical measures or system development and says little about assessing the harm to individuals. The overall aim of this PhD was to explore personal data incident (DBI) response, data privacy harms and breach notifications under the GDPR. Firstly, in-depth personal interviews were conducted to gauge the extent and nature of DBI responses by organisations in the UK. Interviewees viewed breach notifications as a ‘right thing to do’ but raised concerns about the GDPR breach notification timelines. Although there is no dedicated DBI response framework, interviewees were using triage and checklists during DBI response. Based on these findings, in the second stage of the research, a research question was framed: How can a triage playbook be used to address data privacy harms for breach notification prioritisation during the initial response to a personal data incident? A triage playbook was developed; this synthesised the triage steps; operationalised the steps with checklists; and created a data matrix for scoring the likely impact on individuals. Finally, in a third study, two dashboards were iteratively designed and tested with practitioners through a facilitated walkthrough and online questionnaire. The triage playbook was found to meet practitioners’ need to prioritise notification for the ICO and affected individuals when there is a data breach. The overall novel contribution of this research is to extend knowledge of how triage, checklists and a data matrix can be used to support organisations in the UK to address privacy harm to affected individuals for prioritising breach notifications during the initial response to a DBI.

Publication Type: Thesis (Doctoral)
Subjects: T Technology > T Technology (General)
Departments: School of Science & Technology > Computer Science
School of Science & Technology > School of Science & Technology Doctoral Theses
Doctoral Theses
[thumbnail of ThesisCherDeveyJune2019Finalprint.pdf]
Text - Accepted Version
Download (20MB) | Preview


Add to AnyAdd to TwitterAdd to FacebookAdd to LinkedinAdd to PinterestAdd to Email


Downloads per month over past year

View more statistics

Actions (login required)

Admin Login Admin Login