Reporting a data breach/incident
What to do if something goes wrong
Staff should understand the difference between an incident and a personal data breach:
An incident occurs where there is a risk of personal data being compromised. If handles quickly, an incident can often be contained before it becomes a breach.
A personal Data Breach occurs when there is a failure in security leading to destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples of a breach include:
- The loss or theft of data in any format (e.g. papers taken from car, papers left on the train, papers left on the photocopier, post intercepted, unauthorised download)
- Loss or theft or equipment used to store University Information (e.g. laptop, smartphone, USB stick) N.B. All removable storage devices should be encrypted
- Compromised IT user account (e.g. spoofing, hacking, shared password)
- Blagging where information is obtained by deception (a person claims to be someone else)
- Accidental or unauthorised disclosure of University Information (e.g. email of letter to wrong recipient or incorrect system permissions/filter failure)
- Corruption or unauthorised modification of vital records (e.g. alteration of master records)
- Computer systems or equipment compromise (e.g. virus, malware, denial of service attack)
- Break-in at a location holding sensitive information or containing critical information processing equipment such as servers
All Incidents and Breaches must be reported to firstname.lastname@example.org and the University SIRO email@example.com A Serious Information Governance Incident Procedure is also available. We can then assess, reduce and where possible prevent incidents.
You should remember that if you report an incident quickly, we can often contain it and stop any personal data from being compromised.
Should a breach occur which creates a risk to the rights of an individual, we have a duty to report this to the Information Commissioners office (‘ICO’) within 72 hours. We may also need to notify the individual whose data has been breached, within the same time period. The SIRO in conjunction with Vice Chancellor makes the decision on reporting breaches to the ICO.
Fines have increased to a maximum of 20m euros or 4% of global turnover (whichever is the higher)
Each school of the University has a Business Lead for GDPR compliance.