Personal data breaches
Any personal data breach or suspected personal data breach, or an accident or misuse involving personal data must be immediately reported to the University's Data Protection Office at the phone number below.
If you are involved in or discover the breach, report it immediately to your Head of Service or Head of School Administration; they must then notify the Data Protection Office and forward all relevant information related to the breach (see the "What to report" drop-down below).
Examples of personal breaches
Examples of personal data breaches include:
- loss or theft of mobile devices containing data about people (e.g., laptops, PDAs, mobile phones, etc) or loss of hard copy data within briefcases, folders, etc;
- sharing information about people with unauthorised third parties, either accidentally or willfully;
- sending emails or letters in error to the wrong person(s) or wrong address(es);
- a hack into a University computer system that holds information on people.
What to report
In the event of a breach, accident, or error involving personal data, the Data Protection Officer (DPO) must begin an investigation into the incident as soon as possible. The Information Commissioner's Office (ICO) has a checklist of details regarding the breach incident that the DPO must collect. If the incident is severe enough, it must be reported to the ICO.
Reporting the following details to the DPO as soon as possible after the breach will enable her investigation to proceed efficiently and promptly:
- What information was affected? e.g. student ID numbers, student medical records, staff financial details, etc.
- When did the breach occur?
- How did the breach happen? e.g. loss of a memory stick, email sent in error, threw sensitive records into bin rather than confidential waste, etc.
- How many individuals' personal data are impacted by the incident?
- Have individuals been made aware of the incident, and/or have any complaints about the incident been received?
- What, if any, steps have you taken to contain and or mitigate the impact of the incident? e.g. have you recalled the email, resolved the security hack, stopped the data sharing, etc.
Where to report
University Data Protection Officer
Report all breaches to x3111 in the first instance. If you do not get through via phone, send an email to the DP inbox.
Data Protection Officer
Data Protection & Freedom of Information Office (Tay House)
University of Glasgow
Tel: 0141 330 3111
UK Information Commissioner
If a satisfactory resolution is not reached by the University DPO, an individual has the right to appeal to the UK Information Commissioner, as the regulator of the Data Protection Act.
Information Commissioner's Office
Tel: 0303 123 1113
Fax: 01625 524 510