Personal data breach process

What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

What do I have to do?

All members of staff within the University have a duty to report without delay instances where there has been (or where there is suspicion that there might have been) a data breach. Also, if any students or members of the public become aware of a data breach at the University then we would strongly encourage you to report it to us so we can investigate and take action.

Breach FAQs

Q: What might a data breach look like?

A: A breach could be any one of the following scenarios (note: this list is not exhaustive):

  • If you have sent information which is considered personal data or sensitive personal data to the wrong recipient, or if you have received such information and it was not intended for you.
  • If your work or personal mobile devices, tablets or laptops have been lost or stolen and personal data is stored on those devices.
  • If you have reasons to think that any paperwork containing personal data has been lost or stolen.
  • If your work or personal devices have become vulnerable to a virus or malware.
  • If you have reason to believe another individual has had access to information they should not have – either by entering a private office, or accessing an unlocked device.
  • If you become aware that personal data belonging to the University has been the subject of a breach of security while in the hands of any provider of services to the University.

Q: Why should a breach be reported immediately?

A: The longer an incident goes unreported, the longer a vulnerability may remain unaddressed allowing the incident to escalate or for further incidents to occur. Also, the University has a legal requirement to report certain types of personal data breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.

Q: What happens after a breach has been reported?

A: The Data Protection Officer (DPO) will be alerted to the breach and make an initial assessment to determine the next steps. The severity of the incident will inform and direct the appropriate level of leadership involvement, with the ICO being notified in certain cases. An investigation may be conducted with the outputs from this initiating corrective and preventive actions, or other communications.