Data breach reporting procedure
What is a personal data breach?
“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”–Information Commissioner's Office (ICO)
Examples of personal data breaches could include:
- Theft of a University laptop / mobile device which has personal data saved on it.
- An attack on the University network which exposes personal data.
- Unauthorised use of personal data by a member of University staff.
- Accidental loss of files or documents which contain personal data.
- Failure of equipment rendering personal data irretrievable.
How to report a personal data breach
All potential or actual personal data security breaches should be reported as soon as they are discovered. If for any reason you are unsure that an issue constitutes a personal data security breach, please report it. It is helpful, although not obligatory, to report a significant ‘near miss’ as it helps us to identify risk areas for which we can put improved practice in place or note good practice which has prevented a potential data breach. Anyone can and should report a data breach, whether you were the person who caused the data breach, were told about it (for example by someone who you line manage), simply noticed the data breach or received the breached personal data.
To report a personal data breach please complete the Data Breach Form. Please provide as much detail as you can as this information helps us to assess the severity of the breach and decide on the appropriate course of action to ensure that where possible the data is recovered and the risk of a similar incident minimised.
Please do not include the names of the data subjects (the individuals whose personal data has been breached) on the form. If this information is required it will be requested separately.
We may request copies of any documents or emails exposed as a result of the breach. These documents will not normally be shared beyond the investigating officers, they allow us to make an informed judgement of the breach and decide on the next steps to take.
What happens next?
You should expect to hear from a member of the Information Management team within three working days. If you do not, please email firstname.lastname@example.org with the subject line Urgent Data Breach Report Follow Up.
Breaches which present a major risk to the individuals affected will be reported to the University Secretary & Director of Operations and in some cases the Information Commissioner’s Office (the regulator responsible for overseeing compliance with the Data Protection Act).
A review will take place following all breaches to identify any remedial action which may reduce the risk of similar breaches occurring; this may include revised policies and procedures, staff training, or improved security. You may be involved in this review and the implementation of any preventative measures.
Contacting us about how we use your information
If you have any questions, comments or concerns about how we use or handle your information please contact the Data Protection Officer at: Data Protection Officer, Information Management Team (Legal Services), Joseph Priestley Building, 6 Cardigan Street, Birmingham, B4 7RJ, email email@example.com.
If you are not content with how we handle your information please contact our Data Protection Officer. However you do also have the right to complain to the Information Commissioner at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Further information about the Information Commissioner.