Reporting a data security breach/incident

Report all data security breaches by contacting SID on 0300 555 0444

A data security breach involves the loss of, or unauthorised access to, personal or confidential data or intellectual property. This includes both information in hard copy and electronic information. Breaches include:

Theft or loss of data eg sensitive papers or a laptop containing intellectual property being lost
Accidental disclosure eg personal data being emailed to the wrong person or published online
Malicious access to data eg student personal data being given out to an impostor over the telephone or hacking

All information security incidents (including those involving paper records) must be reported promptly so the risk to individuals, the University and others can be contained and prevented where possible.

If a data security breach has occurred you must contact SID by phone and follow the Data Breach Procedure.

Do not contact via email as there can be a delay in responding and the associated risks can significantly increase. By reporting quickly, steps can be taken to investigate, secure the information and prevent incidents from becoming a breach.

Theft and break-ins

Theft of equipment and physical break-ins should also be reported to the University Estate Patrol telephone: 01392 723999; report an incident.

Policy

Please see our Data Breach Policy for more information regarding your responsibilities.

What is the difference between an incident and a data breach?

Incident

An information security incident is where there is the risk of a breach; by reporting these quickly, steps can be taken to investigate, secure the information and prevent the incident becoming a breach.

An incident is like a health and safety near-miss; by reporting it we can not only prevent a breach occurring, but can also learn where our risks are and identify controls to reduce the risk of them reoccurring.

Breach

An information security breach is where the incident has resulted in any loss of, or unauthorised access to University data, normally involving University personal or confidential information, including intellectual property (IP).

Any information security breach that involves personal information is a breach of the Data Protection Act 1998. The University needs to investigate, and when appropriate report these to the Information Commissioners Office who can issue enforcement action, including fines.

Reporting concerns

Staff must report any perceived breaches so they can be fully investigated. Ignoring them allows the information to go unchecked and the risk to individuals and the University to increase, therefore staff are more likely to receive a disciplinary for not reporting a security incident or breach.

Data breach reporting - all campuses

If a data security breach has occurred you should contact SID:

Campus	Phone	Location
Streatham Campus, Exeter	0300 555 0444	Student Information Desk (SID), Forum
Cornwall Campus, Penryn	0300 555 0444	Contact SID at Streatham Campus
Knowledge Spa, Truro	0300 555 0444	Contact SID at Streatham Campus

If you are unsure whether a breach has occurred contact SID for advice. Minor incidents that do not require any action should be reported using the Exeter IT Self Service Portal.

Examples of data breach

The loss or theft of data in any format (eg papers taken from car, post intercepted, unauthorised download)
Loss or theft or equipment used to store University information (eg laptop, smartphone, USB stick)
Inappropriate access controls allowing unauthorised access
Compromised IT user account (eg spoofing, hacking, shared password)
Blagging where information is obtained by deception (a person claims to be someone else over the phone)
Accidental or unauthorised disclosure of University information (eg email or letter to wrong recipient or incorrect system permissions/filter failure)
Corruption or unauthorised modification of vital records (eg alteration of master records)
Computer systems or equipment compromise (eg virus, malware, denial of service attack)
Break-in at a location holding sensitive information or containing critical information processing equipment such as servers.

Data breach FAQs

Why do I need to report by phone?

All data breaches and incidents must be reported by calling SID (the Student Information Desk). This ensures an immediate response and steps can be taken to secure the information and limit the risks to individuals and the University. Emails to SID can take up to 5 days to be dealt with, by this time the information has been left unchecked and what was only an incident has now become a much more significant breach!

I clicked a link and nothing happened, do I need to report?

Yes, if you click a link in a phishing email you must report even if nothing appears to happen, IT can then check to ensure your computer hasn’t been infected in the background.

What impact does GDPR (new data protection law) have on breaches?

Under the new law it is mandatory to report breaches and we need to ensure we have reported within 72 hours of identifying the breach. We can get fined for data breaches, we can also get fined for not reporting a data breach.

How much are data breach fines?

Under the GDPR fines could be up to 20 million euros and we can be fined for not reporting.

The size of fine is relevant to the risk; if we quickly report, investigate and manage the data breach we can reduce the risks to individuals and this can reduce the amount the University is fined.

How do I report the loss of hard copy files?

The loss of any data, regardless of its medium, can constitute a data breach. Even a single piece of paper can contain information whose release could be harmful. Losses of hard copy data need to be reported in the same way, by calling SID.