Procedure in the event of a data protection incident
Under the General Data Protection Regulation (GDPR), introduced in May 2018, it is mandatory to report a personal data breach if it is likely to result in a risk to people’s rights and freedoms. A notifiable breach must be reported to the Information Commissioner’s Office within 72 hours of the University becoming aware of it. It is therefore important that any breaches identified by staff, students or others are reported to the Data Protection Manager as promptly as possible, and certainly within 24 hours of any suspicion that a breach has taken place .
Examples of a personal data breach can vary widely. For instance, breaches can be caused by e-mails being sent to the wrong people, lost or stolen portable devices (such as laptops, USB sticks), inappropriate accessing or sharing of electronic data, hard copy files being lost or taken, confidential waste being placed in recycling bins (as opposed to use of confidential waste sacks or shredding).
The sections below outline the procedures which should be followed, particularly in scenarios where urgent action needs to be taken such as the loss of, misuse of, or release to unauthorised persons of, significant amounts of personal data.
- If action to remedy the situation may be effective, then this should be undertaken immediately (e.g. retrieving emails, remotely deleting data, reclaiming hard copy files).
- Once this action has been taken or attempted, or if it is not possible to undertake remedial action, the Data Protection Manager should be informed immediately, together with the relevant line manager. When reporting to the Data Protection Manager, the incident should be described in as much detail as is practically possible and should be accompanied by any relevant background information, details of the data compromised and the identities of any persons involved in whatever capacity.
- A student suspecting a breach of data protection should immediately inform the Data Protection Manager.
Action taken subsequently will depend upon the nature of, and potential risks associated with, the incident.
Due to be reviewed June 2020.
Phone 01970 628592/3 (8592/3 internally) or email firstname.lastname@example.org