Skip to main content
Back to TriageHealth

Data Breach Response Plan

Last updated: 27 March 2026

1. Purpose

This document outlines TriageHealth’s procedures for identifying, containing, and responding to personal data breaches in compliance with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

2. Supervisory Authority Notification (GDPR Article 33)

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, TriageMethod Ltd will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

  • EU residents: The Irish Data Protection Commission (DPC) will be notified as our lead supervisory authority, as TriageMethod Ltd is an Irish-registered company.
  • UK residents: The Information Commissioner’s Office (ICO) will be notified in parallel where UK residents are affected.

The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.

3. Affected User Notification (GDPR Article 34)

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, TriageHealth will notify affected users within 72 hours of discovering the breach. Notification will be sent via email to all affected accounts and will include:

  • A clear description of the breach in plain language.
  • The type of personal data involved (e.g., health data, account data).
  • The likely consequences of the breach.
  • Measures taken to address and mitigate the breach.
  • Steps users can take to protect themselves (e.g., change password, review account activity).
  • Contact details for the Data Protection Officer.

4. Internal Response Procedure

  1. Detection & Triage: Any team member who identifies a potential breach must immediately escalate to the Data Protection Officer.
  2. Containment: Affected systems or access vectors are isolated. Compromised credentials are revoked. Logging is increased for forensic analysis.
  3. Assessment: The scope, severity, and impact of the breach are assessed. The type of data affected and the number of data subjects are determined.
  4. Notification: Supervisory authorities and affected users are notified within 72 hours as described above.
  5. Remediation: Root cause analysis is performed. Security measures are strengthened to prevent recurrence.
  6. Documentation: All breaches, including those not requiring notification, are documented in the internal breach register (GDPR Article 33(5)).

5. Health Data Considerations

Given that TriageHealth processes special category data (health data under GDPR Article 9), any breach involving health records, blood work results, genetic data, or assessment findings is treated as high-risk by default and will trigger user notification regardless of the assessed likelihood of harm.

6. Data Protection Officer Contact

For any data protection concerns, including to report a suspected breach:

Data Protection Officer
TriageMethod Ltd
Email: info@triagemethod.com

7. Review

This breach response plan is reviewed annually and updated following any breach incident or significant change to our data processing activities.