Reporting data breaches
What is a personal data breach?
A personal data breach is:
"a breach in security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data"
This includes breaches as a result of both accidental and deliberate causes.
What might a data breach look like?
- If you have sent information which is considered personal data or sensitive personal data to the wrong recipient, or if you have received such information and it was not intended for you.
- If your work or personal mobile devices, tablets or laptops have been lost or stolen and personal data is stored on those devices.
- If your work or personal devices have become vulnerable to a virus or malware.
- If you have reason to believe another individual has had access to information they should not have – either by entering a private office, or accessing an unlocked device.
- If you become aware that personal data belonging to the College has been the subject of a breach of security while in the hands of any provider of services to the College.
When and how should I report a data breach?
Under the UK GDPR, the College must report certain types of personal data breaches to the ICO without undue delay, and within 72 hours of becoming aware of it.
What this means is that if you become aware of or suspect a data breach, you must report it as soon as possible via completion of the following online form;
The relevant College groups will then consider and decide on a course of action and whether the ICO and/or data subjects need to be notified – where the breach is at a high risk of adversely affecting individuals’ rights and freedoms.
What happens next?
The Central Secretariat will investigate the matter.
It is important that you report a breach as soon as possible so we can contain and control any further damage. We will need to contact you as part of our investigation, so please ensure you provide your contact details. If the data breach concerns your team or department, you and your colleagues may also be asked to assist with notifying affected individuals (where that is necessary) and to help prepare a notification to the Information Commissioner (where notification is required).
Full details of the College’s data breach procedures are set out in the Data breach plan [PDF].