Personal Data Breach Handling

Personal Data Breach Handling

Data Breaches

Any personal data breach or suspected personal data breach, or an accident or misuse involving personal data must be immediately reported to the University's Data Protection Office at the phone number below.

If you are involved in or discover the breach, report it immediately to your Head of Service or Head of School Administration; they must then notify the Data Protection Office and forward all relevant information related to the breach (see the "What to report" drop-down below).

Examples of personal data breaches

Examples of personal data breaches include: 

  • loss or theft of mobile devices containing data about people (e.g., laptops, PDAs, mobile phones, etc) or loss of hard copy data within briefcases, folders, etc;
  • sharing information about people with unauthorised third parties, either accidentally or willfully;
  • sending emails or letters in error to the wrong person(s) or wrong address(es);
  • a hack into a University computer system that holds information on people.

What to report

In the event of a breach, accident, or error involving personal data, the Data Protection Office must begin an investigation into the incident as soon as possible. The Information Commissioner's Office (ICO) has a checklist of details regarding the breach incident that the DP Office must collect. If the incident is severe, it must be reported to the ICO.

Reporting the following details to the DP Office as soon as possible after the breach will enable the investigation to proceed efficiently and promptly:

  • What information was affected? e.g. student ID numbers, student medical records, staff financial details, etc.
  • When did the breach occur?
  • How did the breach happen? e.g. loss of a memory stick, email sent in error, threw sensitive records into bin rather than confidential waste, etc.
  • How many individuals' personal data are impacted by the incident?
  • Are affected individuals aware of the incident, and/or have any complaints about the incident been received?
  • What, if any, steps have you taken to contain and or mitigate the impact of the incident? 

Where to report

University Data Protection Office

Report all breaches to x3111 in the first instance. If you do not get through via phone, send an email to the DP inbox.

Data Protection & FOI Office
Tay House
University of Glasgow
G12 8QQ

Tel: 0141 330 3111