Personal Data Breach Procedure
The University has a Personal Data Breach Procedure document, covering the identification, investigation, mitigation, notification and review of personal data breaches by the University. Relevant guidance will be provided for staff on this page addressing what to do in the event of a personal data breach or suspected personal data breach
What is a personal data breach?
Under data protection legislation, a personal data breach is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The emphasis is that any breach must concern personal data. While all personal data breaches will be security breaches, not all security breaches will be personal data breaches. This guidance relates to any actual, suspected, threatened or potential personal data breach, including near misses.
Breaches can be small, relating to one person, or can affect many hundreds of individuals. The impact of a breach can be significant, for the individuals affected and the University.
Examples of personal data breaches include:
- Human error, for example an email attachment containing personal data being sent to the incorrect recipient or records being deleted accidentally
- Sharing of passwords or other credentials with third parties
- Controlled documents being left unattended to be copied, read or photographed by an unauthorised person
- ‘Blagging’ whereby an individual obtains personal data by deception
- Unlawful interception of email or telephone communications or online form submissions
- Loss or theft of a physical file or electronic device containing personal data
- Loss of a decryption key relating to securely encrypted personal data
- A Denial of Service (DoS) attack preventing access to personal data for a period of time
- Damage caused by unforeseen circumstances such as fire or flood
- Opening or clicking a link within a malicious email which contains malware or viruses
- A ransomware attack whereby access to systems or records containing personal data is disabled or encrypted
- A cybersecurity attack whereby personal data are accessed, altered, deleted and/or disclosed by the attacker
If a personal data breach is not addressed properly this may, in addition to any financial, reputational and other losses suffered by us as an organisation, result in the affected individuals:
- suffering a loss of control over their personal data or limiting their rights in relation to it
- suffering financial loss
- suffering a loss of confidentiality or reputation
- becoming a victim of identity theft or fraud
- becoming subject to discrimination or some other disadvantage or harm.
All members of staff that have access to or otherwise process personal data are responsible for reporting any personal data breach and for assisting with investigations where necessary.
Notify us of a Data Breach
Report any actual or suspected personal data breaches immediately.
To report a breach, complete the following personal data breach form and send this to the Information Compliance team to firstname.lastname@example.org.
What happens next?
On receipt of the breach notification form, the Information Compliance team will assess the matter and will work with you and other relevant colleagues to make sure that any personal data is secured and any impacts of the breach are minimised.
When assessing whether a breach must be reported to the ICO, the Information Compliance team will establish the likelihood of the breach impacting the rights and freedoms of those affected, and assess the severity of any potential consequences for the individual. If there is a risk of a significant impact, then the University must notify the ICO – the Information Compliance Manager is responsible for making any notification.
If we need to make a report to the ICO we will need to provide details about the nature of the personal data breach, as well as approximate numbers of individuals affected and who those individuals are. We will also need to include details of the personal data involved. We will need to report the likely consequences of the breach and the measures we have taken, or propose to take, to deal with the breach and mitigate any possible adverse effects.