Personal data breaches

Any personal data breach or suspected personal data breach, or an accident or misuse involving personal data must be immediately reported to the University's Data Protection Office by emailing (please note, due to remote working we are unable to accept phone calls at this time).

If you are involved in or discover the breach, report it immediately to your Head of Service or Head of School Administration; they must then notify the Data Protection Office and forward all relevant information related to the breach (see the "What to report" drop-down below).


Flowchart for personal data breach notifications

Examples of personal breaches

Examples of personal data breaches include: 

  • loss or theft of mobile devices containing data about people (e.g., laptops, PDAs, mobile phones, etc) or loss of hard copy data within briefcases, folders, etc;
  • sharing information about people with unauthorised third parties, either accidentally or willfully;
  • sending emails or letters in error to the wrong person(s) or wrong address(es);
  • a hack into a University computer system that holds information on people.

What to report

In the event of a breach, accident, or error involving personal data, the Data Protection Officer (DPO) must begin an investigation into the incident as soon as possible. The Information Commissioner's Office (ICO) has a checklist of details regarding the breach incident that the DPO must collect. If the incident is severe enough, it must be reported to the ICO.

Reporting the following details to the DPO as soon as possible after the breach will enable her investigation to proceed efficiently and promptly:

  • What information was affected? e.g. student ID numbers, student medical records, staff financial details, etc.
  • When did the breach occur?
  • How did the breach happen? e.g. loss of a memory stick, email sent in error, threw sensitive records into bin rather than confidential waste, etc.
  • How many individuals' personal data are impacted by the incident?
  • Have individuals been made aware of the incident, and/or have any complaints about the incident been received?
  • What, if any, steps have you taken to contain and or mitigate the impact of the incident? e.g. have you recalled the email, resolved the security hack, stopped the data sharing, etc.

Where to report

University Data Protection Officer

Report all breaches to 

Data Protection Officer
Data Protection & Freedom of Information Office (Tay House)
University of Glasgow
G12 8QQ

Tel: 0141 330 3111

UK Information Commissioner

If a satisfactory resolution is not reached by the University DPO, an individual has the right to appeal to the UK Information Commissioner, as the regulator of the Data Protection Act.

Information Commissioner's Office
Wycliffe House
Water Lane

Tel: 0303 123 1113
Fax: 01625 524 510