Personal data breach handling

Personal data breaches

Any personal data breach, suspected personal data breach, or an accident or misuse involving personal data must be immediately reported to the University's Data Protection Office.

If you are involved in or discover the breach:

  • Report it immediately to your Head of Service or Head of School Administration.
  • They must then notify the Data Protection Office to report the breach, forwarding all relevant information related to the breach for investigation.

Examples of personal data breaches include:

  • Loss or theft of portable electronic devices containing data about people (e.g. laptops, PDAs, tablets, mobile phones, etc.) or loss of hard copy data within briefcases, folders, etc.
  • Sharing information about people with unauthorised third parties, either accidentally or wilfully
  • Sending emails or letters in error to the wrong person(s) or wrong address(es)
  • A cyber attack that hacks into a University computer system that holds information on people

What to report:

In the event of a breach, accident, or error involving personal data, the Data Protection Office must begin an investigation as soon as possible.

This is because breaches must also be reported to the Information Commissioners Office (ICO) if they are likely to adversely affect the rights and freedoms of the individuals involved, and this has to be done within 72 hours of first becoming aware of the breach.

Please note that all breach notifications to the ICO must be reported via the University's Data Protection Office.