Personal Data Breach Handling

Personal Data Breach Handling

Personal Data Breaches

Any personal data breach, suspected personal data breach, or an accident or misuse involving personal data must be immediately reported to the University's Data Protection Office.

If you are involved in or discover the breach, report it immediately to your Head of Service or Head of School Administration; they must then notify the Data Protection Office and forward all relevant information related to the breach using the Personal Data Breach Reporting Form also see the "What to report" section below).

Flowchart for personal data breach notification

Examples of personal data breaches

Examples of personal data breaches include: 

  • loss or theft of portable electronic devices containing data about people (e.g. laptops, PDAs, tablets, mobile phones, etc.) or loss of hard copy data within briefcases, folders, etc;
  • sharing information about people with unauthorised third parties, either accidentally or wilfully;
  • sending emails or letters in error to the wrong person(s) or wrong address(es);
  • a cyberattack that hacks into a University computer system that holds information on people.

What to report

In the event of a breach, accident, or error involving personal data, the Data Protection Office must begin an investigation as soon as possible.  This is because breaches must also be reported to the ICO if they are likely to adversley affect the rights and freedoms of the individuals involved, and this has to be done within 72 hours of first becoming aware of the breach.  Please note that all breach notifications to the ICO must be done via the University's Data Protection Office.

The Data Protection Office will ask anyone reporting a personal data breach to complete the Personal Data Breach Reporting Form.  The information asked for in the form will allow the Data Protection Office to investigate breaches efficiently and promptly.

Where to report

Report all personal data breaches immediately to:


The DP & FOI Office are based at:

Data Protection & Freedom of Information Office
Tay House
University of Glasgow
G12 8QQ