The GDPR introduces mandatory breach notification - breaches must be reported to the Office of the Data Protection Commissioner (ODPC) within 72 hours, unless the personal data affected was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned.
Data Breach Procedure
Data Breach Report Form
Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
All breaches or suspected breaches should therefore be reported to the University’s Data Protection Officer without delay for assessment.
What is a "data breach"?
The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
For example, an unauthorised/accidental:
- disclosure of, or access to, personal data.
- alteration of personal data.
- loss of access to, or destruction of, personal data.
Data breaches may occur in a variety of contexts, such as:
- Loss/theft of personal data (e.g. on a memory stick, laptop or paper records)
- Inappropriate access controls (e.g. using unsecure passwords)
- Equipment failure
- personal data being left unlocked in accessible areas (e.g. leaving IT equipment unattended when logged into a user account, leaving documents on top of shared photocopiers)
- Disclosing personal data to unauthorised individuals (internal or external to the University)
- Human error (e.g. emails/post being sent to the wrong recipient)
- Hacking, viruses or other security attacks on IT equipment systems or networks
- Breaches of physical security (e.g. forcing of doors/windows/filing cabinets)
If a data breach/suspected data breach is identified, please take the following steps WITHOUT DELAY:
How can I reduce the risk of causing a data breach?
Data breaches can be caused by many factors, however some are more likely to occur than others. Therefore, taking measures to address these is an essential step in reducing risk. High standards of security are essential when dealing with all personal information responsibly.
- Keep personal data only on electronic devices that are:
- Password protected and never use your UL password for any other account
- Regularly scanned with security software
- Portable electronic devices must be encrypted
- Leave paper documents containing personal data:
- If not in use, locked away
- Never lying around or behind
- Out of sight of unauthorised people (e.g. when reading a CV in a public place, on a train or in an airplane)
- After the original purpose you got permission for has come to an end, dispose of personal data, both electronic and paper, only in a manner that does not allow undoing deletion/destruction. This means for paper documents confidential shredding, and for electronic data using an appropriate deletion programme. The ‘Recycling Bin’ of your electronic device is not an appropriate place for deleted personal information.
- Never put personal information on any device that can be lost or stolen easily. This includes USBs, external hard disks you carry around, laptops left in cars, mobile phones, tablets.
- Storage solutions like Drop Box, Google Drive, etc must not be used for personal data and are not ITD-supported
- Don’t log on to public Wi-Fi, e.g ( at airports, cafes, etc) because it can be hacked easily
- Don’t use your UL password for anything else
- For paper documents containing personal information:
- Never keep them on an open shelf in a general office
- Never throw them in the general bin
- Never leave them behind after you are finished with it
- For both electronic and paper formats of personal information, if you share it with other people, be sure you have the right to do so.