Procedure in the event of a data protection incident

Under the General Data Protection Regulation (GDPR), in force from 25th May 2018, it is mandatory to report a personal data breach if it is likely to result in a risk to people’s rights and freedoms.  A notifiable breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours of the University becoming aware of it.  It is therefore important that any data protection incidents or potential breaches identified by staff, students or others are reported to the Information Compliance Team as promptly as possible, and certainly within 24 hours. 

Examples of a personal data breach can vary widely.  For instance, breaches can be caused by e-mails being sent to the wrong people, lost or stolen portable devices (such as laptops, USB sticks), inappropriate accessing or sharing of electronic data, hard copy files being lost or taken, confidential waste being placed in recycling bins (as opposed to use of confidential waste sacks or shredding).  Not all of these examples would necessarily be a breach and therefore reportable to the ICO but, it is essential that such incidents are assessed by the Information Compliance Team.

The procedures which should be followed are outlined below.  This is particularly important in scenarios where urgent reactive measures need to be taken, such as in response to the loss or misuse, or release to unauthorised persons, of significant amounts of personal data.

Staff

  1. If immediate action to remedy the situation may be effective, then this should be undertaken (e.g. retrieving emails, remotely deleting data, reclaiming hard copy files).
  2. Once this action has been taken or attempted, or if it is not possible to undertake remedial action, the Information Compliance Team should be informed immediately, together with the relevant line manager.  When reporting to the Information Compliance Team, the incident should be described in as much detail as is practically possible and should be accompanied by any relevant background information, details of the data compromised and the identities of any persons involved, in whatever capacity.

Students

  1. A student suspecting a breach of data protection should immediately inform the Information Compliance Team.

 Subsequent action will depend upon the nature of, and potential risks associated with, the incident.

 Phone 01970 628592/3  (8592/3 internally) or email infocompliance@aber.ac.uk