Reporting data breaches
What is a personal data breach?
A personal data breach is:
"a breach in security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data"
This includes breaches as a result of both accidental and deliberate causes.
What might a data breach look like?
- If you have sent information which is considered personal data or sensitive personal data to the wrong recipient, or if you have received such information and it was not intended for you.
- If your work or personal mobile devices, tablets or laptops have been lost or stolen and personal data is stored on those devices.
- If your work or personal devices have become vulnerable to a virus or malware.
- If you have reason to believe another individual has had access to information they should not have – either by entering a private office, or accessing an unlocked device.
- If you become aware that personal data belonging to the College has been the subject of a breach of security while in the hands of any provider of services to the College.
When and how should I report a data breach?
Under the GDPR, the College must report certain types of personal data breaches to the ICO without undue delay, and within 72 hours of becoming aware of it. What this means is that if you become aware of or suspect a data breach, you must report it as soon as possible (within 72 hours of becoming aware of it) using the form Notification of Data Security Breach and sending the form to email@example.com.
The relevant College groups will then consider and decide whether the ICO and data subjects need to be notified – where the breach is at a high risk of adversely affecting individuals’ rights and freedoms. If the College decides that the breach doesn’t need to be reported, justification may be required. Therefore, the decision process must be documented.
What happens next?
Central Secretariat, with assistance from the Legal Services Office and/or ICT Security will investigate the matter. It is important that you report a breach as soon as possible so we can contain and control any further damage. We will need to contact you as part of our investigation, so please ensure you provide your contact details. If the data breach concerns your team or department, you and your colleagues may also be asked to assist with notifying affected individuals (where that is necessary) and to help prepare a notification to the Information Commissioner (where notification is required).
Full details of the College’s data breach procedures are set out in the Data breach plan [PDF].