DPA Breach and Complaints Handling

DPA Breach and Complaints Handling

Data Breaches

Any breach or suspected breach of the Data Protection Act, or an accident or misuse involving personal data must be immediately reported to the University's Data Protection Officer at the address below.

If you are involved in or discover the breach, report it immediately to your Head of Service or Head of School Administration; they must then notify the Data Protection Officer and forward all relevant information related to the breach (see the "What to report" drop-down below).

Examples of personal data breaches

Examples of personal data breaches include: 

  • loss or theft of mobile devices containing data about people (e.g., laptops, PDAs, mobile phones, etc) or loss of hard copy data within briefcases, folders, etc;
  • sharing information about people with unauthorised third parties, either accidentally or willfully;
  • sending emails or letters in error to the wrong person(s) or wrong address(es);
  • a hack into a University computer system that holds information on people.

What to report

In the event of a breach, accident, or error involving personal data, the Data Protection Officer (DPO) must begin an investigation into the incident as soon as possible. The Information Commissioner's Office (ICO) has a checklist of details regarding the breach incident that the DPO must collect. If the incident is severe enough, it must be reported to the ICO.

Reporting the following details to the DPO as soon as possible after the breach will enable her investigation to proceed efficiently and promptly:

  • What information was affected? e.g. student ID numbers, student medical records, staff financial details, etc.
  • When did the breach occur?
  • How did the breach happen? e.g. loss of a memory stick, email sent in error, threw sensitive records into bin rather than confidential waste, etc.
  • How many individuals' personal data are impacted by the incident?
  • Have individuals been made aware of the incident, and/or have any complaints about the incident been received?
  • What, if any, steps have you taken to contain and or mitigate the impact of the incident? e.g. have you recalled the email, resolved the security hack, stopped the data sharing, etc.

Where to report

University Data Protection Officer

Data Protection Officer
Data Protection & Freedom of Information Office (Tay House)
University of Glasgow
Glasgow
G12 8QQ

Tel: 0141 330 3111
Email: dp@gla.ac.uk

UK Information Commissioner

If a satisfactory resolution is not reached by the University DPO, an individual has the right to appeal to the UK Information Commissioner, as the regulator of the Data Protection Act.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113
Fax: 01625 524 510


Complaints

Any complaints about Data Protection practices at the University or in relation to a subject access request response should be handled via the University’s complaints procedures.

If dissatisfied with the complaint outcome, the complainant is fully within his or her rights to notify the UK Information Commissioner: https://ico.org.uk/concerns