Personal Data Breach Procedure

The University has a Personal Data Breach Procedure document (IGP-07), covering the identification, investigation, mitigation, notification and review of personal data breaches by the University, but it is not freely available to all due to confidentiality considerations. Relevant guidance will be provided for staff on this page addressing what to do in the event of a personal data breach or suspected personal data breach.

What is a personal data breach?

A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The key is that any breach must concern personal data. While all personal data breaches will be security breaches, not all security breaches will be personal data breaches. This guidance relates to any actual, suspected, threatened or potential personal data breach, including near misses.

Examples of personal data breaches include: 

• Human error, for example an email attachment containing personal data being sent to the incorrect recipient or records being deleted accidentally
• Sharing of passwords or other credentials with third parties
• Controlled documents being left unattended to be copied, read or photographed by an unauthorised person
• ‘Blagging’ whereby an individual obtains personal data by deception
• Unlawful interception of email or telephone communications or online form submissions
• Loss or theft of a physical file or electronic device containing personal data
• Loss of a decryption key relating to securely encrypted personal data
• A Denial of Service (DoS) attack preventing access to personal data for a period of time
• Damage caused by unforeseen circumstances such as fire or flood
• Opening or clicking a link within a malicious email which contains malware or viruses
• A ransomware attack whereby access to systems or records containing personal data is disabled or encrypted
• A cybersecurity attack whereby personal data are accessed, altered, deleted and/or disclosed by the attacker

If a personal data breach is not addressed properly this may, in addition to any financial, reputational and other losses suffered by us as an organisation, result in the affected individuals: 

• suffering a loss of control over their personal data or limiting their rights in relation to it
• suffering financial loss
• suffering a loss of confidentiality or reputation
• becoming a victim of identity theft or fraud
• becoming subject to discrimination or some other disadvantage or harm

The prevention of personal data breaches from occurring in the first instance is covered by the University’s Information Security Policy and Data Protection Policy).

Responsibilities

All members of staff that have access to or otherwise process personal data are responsible for reporting any personal data breach and for assisting with investigations where necessary.

The Data Protection Officer shall have overall responsibility for the management of the incidents. The Information Security Manager shall also have responsibility for incident management where relevant. For serious personal data breaches involving a serious risk to the University and individuals whose data is involved, a response team consisting of relevant senior staff will be convened.

Identification and reporting of personal data breaches

The rapid identification and reporting of personal data breaches is critical to ensuring they are effectively managed and mitigated, and that the University complies with the obligations of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

All personal data breaches identified by staff should be reported as a matter of urgency, and within 24 hours of becoming aware of the incident as follows:

• Speak to your line manager OR
• Contact the Data Protection Officer (ext.41824, data-protection@bristol.ac.uk).
• If the above options are not possible, and outside of normal business hours, breaches can be reported to the IT Service Desk (0117 428 2100 / ext.82100, service-desk@bristol.ac.uk), which provides a 24/7 service.

If possible, a Personal Data Breach Notification Form (IGP-07) (Office document, 44kB) should be completed either at the time of or as soon as possible following the initial report of the personal data breach.

Members of staff should be assured that the reporting of any potential personal data breach will not result in suffering any detrimental treatment as a result of raising their concerns. 

Investigation of personal data breaches

Having identified that a personal data breach has or may have occurred, investigation will be undertaken covering:

• the root cause of the breach
• the type of breach
• the scope of the breach
• the groups and numbers of individuals affected by the breach
• the categories of personal data affected by the breach
• whether the personal data affected were protected in any way (e.g. encrypted)
• the potential adverse consequences for the affected individuals
• any other consequences of the breach

A Personal Data Breach Report Form (IGP-07) (Office document, 60kB) will be used to record relevant information.

Mitigation of personal data breaches

Steps required to contain and mitigate the breach will be identified, documented and undertaken. These may include:

• immediately recalling an email that has been sent to the wrong address
• contacting the recipient of an email that has been sent in error and asking them to delete the email from their inbox and deleted items and confirm they have done so
• immediately retrieving paper documents from any unintended recipients
• changing the password for the affected application, device, system or room
• immediately disabling any lost or stolen electronic devices
• notifying colleagues of any immediate steps that they should take
• remotely locating, disabling and/or deleting data stored on a mobile device
• restoring a database or system from a back-up
• disabling network or system access
• notifying staff and/or Processors to do or refrain from doing something
• implementing the University’s business continuity and crisis management plans

All actions need to be appropriate, proportionate and accountable.

Notification of personal data breaches

Notification to the Information Commissioner's Office (ICO)

The University is required to notify the ICO as soon as possible and, where feasible, not later than 72 hours after having become aware, of any personal data breaches involving a high risk to the rights and interests of the affected individuals. Breaches not involving a high risk are not required to be reported. A risk assessment procedure is in place to determine whether incidents need to be reported to the ICO, and will be enacted when required by the Data Protection Officer.

Provided the University has not delayed its investigations, the University will be deemed to have “become aware” of a personal data breach at the time it has concluded with a reasonable degree of certainty that a security breach has occurred which has led to personal data being compromised. This may be later than the time at which the personal data breach was initially reported, depending upon the circumstances.

If the University fails to notify the ICO of a personal data breach in a timely manner, this may constitute a failure to notify which could expose the University to a fine of up to €10 million or 2% of its worldwide annual turnover, whichever is greater.

Notification to affected individuals

The University is required to notify affected individuals of a data breach where it has concluded that the breach is likely to result in a high risk to their rights or interests taking into account the likelihood and severity of the risk. A risk assessment procedure is in place to determine whether incidents need reporting to the affected individuals, and will be enacted when required by the Data Protection Officer. 

It is more likely that personal data breaches revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or including biometric data, genetic data or health data, or data concerning their sex life or sexual orientation (i.e. special category data) will need to be notified to the individuals.

The University is unlikely to be required to communicate a personal data breach to the affected individuals where any one of the following conditions are met:

• the University is satisfied that it has implemented appropriate measures to protect the personal data prior to the breach such that the personal data will be unintelligible in the hands of a third party
• the University has acted quickly in taking steps to reduce the likelihood that any high risk to the affected individuals will materialise
• communicating with the affected individuals would involve disproportionate effort and a public communication would be equally effective

Notification to other parties and stakeholders

It is possible that incidents will also need to be reported to other parties, including:

• Research funders, partners and data providers - the University may be subject to contractual terms requiring notification of personal data breaches or it would be in breach of contract and liable to legal sanction or other consequences.
• Data processors - it may be necessary to notify third parties processing the data on behalf of the University that an incident has occurred.
• Insurers -  the University’s Insurance Officer may need to be informed of serious incidents so consideration can be given to whether to report the incident to the University’s insurers.