The University has a Personal Data Breach Procedure document (IGP-07), covering the identification, investigation, mitigation, notification and review of personal data breaches by the University, but it is not freely available to all due to confidentiality considerations. Relevant guidance will be provided for staff on this page addressing what to do in the event of a personal data breach or suspected personal data breach.
A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The key is that any breach must concern personal data. While all personal data breaches will be security breaches, not all security breaches will be personal data breaches. This guidance relates to any actual, suspected, threatened or potential personal data breach, including near misses.
Examples of personal data breaches include:
If a personal data breach is not addressed properly this may, in addition to any financial, reputational and other losses suffered by us as an organisation, result in the affected individuals:
The prevention of personal data breaches from occurring in the first instance is covered by the University’s Information Security Policy and Data Protection Policy).
All members of staff that have access to or otherwise process personal data are responsible for reporting any personal data breach and for assisting with investigations where necessary.
The Data Protection Officer shall have overall responsibility for the management of the incidents. The Information Security Manager shall also have responsibility for incident management where relevant. For serious personal data breaches involving a serious risk to the University and individuals whose data is involved, a response team consisting of relevant senior staff will be convened.
The rapid identification and reporting of personal data breaches is critical to ensuring they are effectively managed and mitigated, and that the University complies with the obligations of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
All personal data breaches identified by staff should be reported as a matter of urgency, and within 24 hours of becoming aware of the incident as follows:
If possible, a Personal Data Breach Notification Form (IGP-07) (Office document, 44kB) should be completed either at the time of or as soon as possible following the initial report of the personal data breach.
Members of staff should be assured that the reporting of any potential personal data breach will not result in suffering any detrimental treatment as a result of raising their concerns.
Having identified that a personal data breach has or may have occurred, investigation will be undertaken covering:
A Personal Data Breach Report Form (IGP-07) (Office document, 60kB) will be used to record relevant information.
Steps required to contain and mitigate the breach will be identified, documented and undertaken. These may include:
All actions need to be appropriate, proportionate and accountable.
The University is required to notify the ICO as soon as possible and, where feasible, not later than 72 hours after having become aware, of any personal data breaches involving a high risk to the rights and interests of the affected individuals. Breaches not involving a high risk are not required to be reported. A risk assessment procedure is in place to determine whether incidents need to be reported to the ICO, and will be enacted when required by the Data Protection Officer.
Provided the University has not delayed its investigations, the University will be deemed to have “become aware” of a personal data breach at the time it has concluded with a reasonable degree of certainty that a security breach has occurred which has led to personal data being compromised. This may be later than the time at which the personal data breach was initially reported, depending upon the circumstances.
If the University fails to notify the ICO of a personal data breach in a timely manner, this may constitute a failure to notify which could expose the University to a fine of up to €10 million or 2% of its worldwide annual turnover, whichever is greater.
The University is required to notify affected individuals of a data breach where it has concluded that the breach is likely to result in a high risk to their rights or interests taking into account the likelihood and severity of the risk. A risk assessment procedure is in place to determine whether incidents need reporting to the affected individuals, and will be enacted when required by the Data Protection Officer.
It is more likely that personal data breaches revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or including biometric data, genetic data or health data, or data concerning their sex life or sexual orientation (i.e. special category data) will need to be notified to the individuals.
The University is unlikely to be required to communicate a personal data breach to the affected individuals where any one of the following conditions are met:
It is possible that incidents will also need to be reported to other parties, including: