What to do if something goes wrong
Colleagues should understand the difference between an incident and a personal data breach:
An incident occurs where there is a risk of personal data being compromised. If handled quickly, an incident can often be contained before it becomes a breach.
A personal data breach occurs when there is a failure in security leading to destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include:
- The loss or theft of data in any format (eg papers taken from car, post intercepted, unauthorised download)
- Loss or theft or equipment used to store University information (eg laptop, smartphone, USB stick)
- Compromised IT user account (eg spoofing, hacking, shared password)
- Blagging where information is obtained by deception (a person claims to be someone else)
- Accidental or unauthorised disclosure of University information (eg email or letter to wrong recipient or incorrect system permissions/filter failure)
- Corruption or unauthorised modification of vital records (eg alteration of master records)
- Computer systems or equipment compromise (eg virus, malware, denial of service attack)
- Break-in at a location holding sensitive information or containing critical information processing equipment such as servers.
All incidents and breaches must be reported to SID by calling 0300 555 0444
Please follow the advice and procedures on the Information Governance web pages here: Report a Data Breach/Incident.
You should remember that if you report an incident quickly, we can often contain it and stop any personal data from being compromised.
Should a breach occur which creates a risk to the rights of an individual, we have a duty to report this to the Information Commissioner’s office within 72 hours. We may also need to notify the individual whose data has been breached, within the same time period.
Fines have increased to a maximum of £20 million (£17 million) or 4% of global turnover (whichever is higher.)