All incidents and breaches must be reported to SID
What to do if something goes wrong
Colleagues should understand the difference between an incident and a personal data breach:
An incident occurs where there is a risk of personal data being compromised. If handled quickly, an incident can often be contained before it becomes a breach
A personal data breach occurs when there is a failure in security leading to destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples of a breach include:
- The loss or theft of data in any format (eg papers taken from car, post intercepted, unauthorised download)
- Loss or theft or equipment used to store University Information (eg laptop, smartphone, USB stick)
- Compromised IT user account (eg spoofing, hacking, shared password)
- Blagging where information is obtained by deception (a person claims to be someone else)
- Accidental or unauthorised disclosure of University Information (eg email or letter to wrong recipient or incorrect system permissions/filter failure)
- Corruption or unauthorised modification of vital records (eg alteration of master records)
- Computer systems or equipment compromise (eg virus, malware, denial of service attack)
- Break-in at a location holding sensitive information or containing critical information processing equipment such as servers.
All incidents and breaches must be reported to SID by calling 0300 555 0444
Please do not email SID, as the email may not be read for several days. A Data Security Breach Management procedure is also available. We can then assess, reduce, and where possible prevent incidents.
You should remember that if you report an incident quickly, we can often contain it and stop any personal data from being compromised.
Should a breach occur which creates a risk to the rights of an individual, we have a duty to report this to the Information Commissioner’s office within 72 hours. We may also need to notify the individual whose data has been breached, withn the same time period.
Fines have increased to a maximum of £20 million (£17 million) or 4% of global turnover (whichever is higher.)