Any incident that could potentially compromise the security of personal data represents a breach must be reported immediately.
If you discover a breach there are some important steps you must take:
- read the guidance notes listed on this page
- complete a personal data breach report form
- submit the form immediately to the Data Protection Officer
- the DPO will contact you, in confidence, once the form has been received
If you wish to make a complaint, please contact Data Protection Officer or Information Commissioner's Office (ICO)
What is a Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
The University has an obligation to report certain types of Personal Data Breach to the ICO without undue delay and, where feasible, not later than 72 hours after having become aware of it. If the breach is likely to result in a high risk to the individuals' rights and freedoms, the University must also inform those individuals without undue delay. The University must keep a record of any Personal Data Breaches, their effects and the remedial action plan.
Events or incidents that must be reported
Any personal data breach including but not limited to any incident that could potentially compromise the security of personal data such as:
- Theft of a laptop
- Loss of mobile phones, flash drives and other data storage devices
- Unauthorised disclosure of personal information
- Loss of personal files
- Non arrival of sensititve information
- Maintenance of unsecured databases
The above list is not exhaustive.
In the event of an infringement of the GDPR, the ICO has the power to impost fines in more serious cases of up to 20 million euros or up to 4% of annual turnover, whichever is higher.