Introduction

This is the procedure to be followed for suspected or actual personal data breach incidents and must be read in conjunction with the University's Data Protection Policy.

Purpose and scope

The purpose of this procedure is to provide a framework within which the University will ensure compliance with its legal obligations in respect of incidents.

This procedure applies to University staff, agency workers, student ambassadors, volunteers, contractors and third party agents who process data for or on behalf of the University and it must be complied with in the event of a suspected or actual personal data breach.

The University is required to keep a record of all personal data breaches. Some of these breaches must be reported to the Information Commissioner's Office ("ICO") without undue delay and, at the latest, within 72 hours of detection. It may also need to notify individuals affected by the breach.

It is vital that all staff report a suspected or actual personal data breach, however minor, as soon as possible after discovery so that the University can investigate promptly and report to the ICO, if necessary, at the latest within 72 hours. Failure to report a personal data breach to the ICO (or to individuals) where necessary or a delay in doing so can result in criticism of the University by the ICO and, in serious cases, result in a fine.

Personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, theft, or unauthorised access, to personal data. Examples of personal data breaches include, but are not limited to:

• Loss or theft of media or equipment containing personal data (encrypted and non-encrypted devices) e.g. loss of paper record, laptop, iPad or USB stick, etc.
• Inappropriate access controls allowing unauthorised use e.g. sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to personal data or information systems
• Equipment failure resulting in personal data being unavailable
• Human error e.g. email containing personal data sent to the incorrect recipient
• Unauthorised disclosure of sensitive or confidential information e.g. document posted to an incorrect address or addressee
• Unforeseen circumstances such as a fire or flood resulting in damage or destruction of personal data
• Hacking attack resulting in a breach of confidentiality, effect on the integrity of personal data or its availability
• ‘Blagging’ offences where personal data is obtained by deceiving the organisation who holds it
• Insecure disposal of paperwork containing personal data

Why should breaches be reported?

The longer an incident goes unreported, the harder it gets to resolve any vulnerabilities. Impacted data subjects sometimes have a right to know that their data may have been compromised and that they could take steps that could minimise an adverse impact on them such as informing their bank that their bank details have been compromised.

The longer an incident goes unreported, the longer a vulnerability may remain unaddressed allowing the incident to escalate or for further incidents to occur. Without timely visibility of the incident through reporting the University may not be able to fulfil its legal obligations such as its duty to report certain types of personal data breach to the ICO without undue delay and where feasible within 72 hours of becoming aware of the breach.

Knowing that a breach has occurred and delaying reporting reduces the time available for the investigation team to understand and assist with a response and still meet privacy compliance requirements.

Understanding the cause of breaches allows us to develop and implement systems and processes that are more robust to prevent future breaches and protect personal data.

Procedure for reporting a personal data breach incident

Responsibility for reporting a suspected breach lies with the person who discovered the breach.

Suspected personal data breach incidents should be reported immediately upon discovery, using the form linked hereLink opens in a new window. You should also inform your line manager, unless there is a need to report it confidentially. Reports are logged in Service Now and the University's Data Protection Officer will be made aware of the report.

The University will investigate the breach and, where appropriate, notify or involve the relevant line management and HR. Reported personal data breaches are investigated in accordance with the University's standard operating procedure for responding to reported data breaches.

The DPO (or their nominated deputy) upon instruction from the University will notify the ICO, without undue delay, of a reportable personal data breach. Where the personal data breach is likely to result in a high risk of harm to individuals the University will notify them without undue delay.

The University shall notify any other affected third parties e.g. joint data controllers, controllers where the University is the Data Processor, without undue delay. The University may also need to notify others e.g. the Police and insurers.

Enforcement

Failure to adhere to this procedure, delay in reporting or non-reporting of suspected or actual breaches may result in disciplinary action in accordance with the University Staff Disciplinary Procedure.