Data breach reporting procedure
What is a personal data breach?
“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”–Information Commissioner's Office (ICO)
Examples of personal data breaches could include:
- Theft of a University laptop / mobile device which has personal data saved on it.
- An attack on the University network which exposes personal data.
- Unauthorised use of personal data by a member of University staff.
- Accidental loss of files or documents which contain personal data.
- Failure of equipment rendering personal data irretrievable.
How to report a personal data breach
All potential or actual personal data security breaches should be reported as soon as they are discovered. If for any reason you are unsure that an issue constitutes a personal data security breach, please report it.
To report a personal data security breach please complete the Data Breach Form. Please provide as much detail as you can as this information helps us to assess the severity of the breach and decide on the appropriate course of action to ensure that where possible the data is recovered and the risk of a similar incident minimised.
Please do not include the names of the individuals involved in the form. If this information is required it will be requested separately.
We may request copies of any documents or emails exposed as a result of the breach. These documents will not normally be shared beyond the investigating officers, they allow us to make an informed judgement of the breach and decide on the next steps to take.
What happens next?
You should expect to hear from a member of the Information Management team within three working days. If you believe the issue requires more urgent attention please contact the Information Management team on extension - 2900 once you have completed the breach notification form.
Breaches which present a major risk to the individuals affected will be reported to the University Secretary & Director of Operations and in some cases the Information Commissioner’s Office (the regulator responsible for overseeing compliance with the Data Protection Act).
A review will take place following all breaches to identify any remedial action which may reduce the risk of similar breaches occurring; this may include revised policies and procedures, staff training, or improved security. You may be involved in this review and the implementation of any preventative measures.
Contacting us about how we use your information
If you have any questions, comments or concerns about how we use or handle your information please contact the Data Protection Officer at: Data Protection Officer, Information Management Team, Birmingham City University, University House, 15 Bartholomew Row, Birmingham B5 5JU, email firstname.lastname@example.org call extension 2900.
If you are not content with how we handle your information please contact our Data Protection Officer. However you do also have the right to complain to the Information Commissioner at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Information about the Information Commissioner is available here.