Personal data breach
What to do in the event of a potential personal data breach
The General Data Protection Regulation (GDPR) defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
Personal data is information about a living, identifiable individual.
It is the responsibility of all members of staff and students who discover a potential personal data breach, however minor, to report it immediately by email to the Information Governance Team - please see ‘How do I report a breach?’ below. The University has procedures in place to contain, mitigate, manage and notify a personal data breach.
In some cases, the University will have to report the breach to the Information Commissioner’s Office (ICO), within 72 hours, so it is important that any breach is reported without delay.
How do I identify a breach?
Breaches can be small, relating to one person, or can affect many hundreds of individuals. A breach might involve information held in digital format or in paper files. Examples of a personal data breach can vary widely. Our most common breach is caused by emails being sent to the incorrect recipient(s), and can also include lost or stolen portable devices (such as laptops, USB sticks), inappropriate accessing or sharing of electronic data, hard copy files being lost or taken, confidential waste being placed in recycling bins (as opposed to use of confidential waste sacks or shredding).
As well as a breach of security, data breaches can be caused in other ways, such as keeping data longer than required or gathering too much personal data.
If in doubt, contact us.
What remedial action could I take?
If possible, you should attempt to recover the information, prevent further transmission of the information or delete the information mistakenly disclosed immediately upon discovering a personal data breach.
Examples of remedial action to consider:
- If information was sent electronically to an incorrect recipient(s), have you tried to recall the email* or have they been asked to delete the information (including from their deleted folder)?
*Note: it is extremely unlikely that recall requests are successful.
- If a device was lost or stolen is remote wipe possible?
- If a password has been disclosed, has it been changed?
- Can you reclaim hard copy files that may have been left somewhere insecure?
Once remedial action has been taken or attempted, or if it is not possible to undertake remedial action, you should immediately contact the Information Governance Team (see contact details below). Staff should also inform their relevant line manager.
Do not notify the affected data subjects. The Information Governance Team will determine who should be notified and how.
How do I report a breach?
If you discover a potential personal data breach, then you should immediately report the incident by email to firstname.lastname@example.org. The email subject line should state ‘breach’.
To assist with our investigation, please describe the incident, providing as much information as possible. Think of who, what, when, where, why and how, for example:
- When did the breach happen? (date and time)
- When was the data breach discovered? (date and time – if the reporting has been delayed by more than 24 hours, please explain why)
- What has happened? (how did the breach occur)
- What type of personal data was included? (e.g. names, addresses, emails, contact details, any special category data)
- How many and what type of data subjects could be affected? (are they staff, students etc)
- What remedial action have you taken, if any?
If you don’t have all the information available, please just provide what you can. Do not delay in reporting the incident whilst you gather other information, as data breaches must be reported immediately. Any delay can affect steps that we can take to reduce the impact of any data breach and may also mean we do not meet the legal timescales for reporting to the ICO.
What happens next?
On receipt of the breach notification, we will work with you and other relevant colleagues to make sure that any personal data is secured and that risks associated with the breach are minimised.
In the case of a data breach occurring that is likely to result in a risk to the rights and freedoms of individuals, we have a duty to notify the ICO of the breach within 72 hours of the University becoming aware of it. Further information on this process can be found at the ICO guide to personal data breaches.
Where a data breach is likely to result in a high risk to the rights and freedoms of individuals, the University is also required to notify the individuals concerned without undue delay.
The University must also keep a record of any personal data breach, regardless of whether it is reportable.
Data Protection Policy and training
All individuals who access, use or manage the University’s information are responsible for following the Data Protection Policy and immediately reporting any data protection incidents that come to their attention.
Staff are also required to complete the mandatory online General Data Protection Regulation (GDPR) and Information Security training courses available on Blackboard.