Data protection law requires the University to protect data from unauthorised access, misuse or loss.
Data breach incidents often include the following situations:
- emailing information to the wrong recipient
- sharing the information via Box or other methods to the wrong recipients
- making information available by posting it on a website or social media
- storing information in an area that lacks access controls (physical or electronic)
- removing or disabling access controls or other lax internal security practices
- providing means of access to an individual through provision of a password or granting of permissions
- a USB stick, laptop or phone containing personal data being lost or stolen
A third-party provider notifies the University it has suffered a breach of the data it processes on the University’s behalf
If one of the above happens, or you suspect that University’s systems or data have been compromised, you must report it without delay to the University’s Data Protection Officer at email@example.com
Describe what has happened, what data has been affected and what steps have been taken to address it. The DPO may ask you for additional information.
The University has 72 hours in law to determine whether the data breach is severe enough to require notification to the Information Commissioner’s Office. Swift action also helps where the University needs to inform individuals affected by the incident, for example, to change a password or contact their bank.
The DPO will address these immediate issues and work with the required parties in the University to close down the breach.
Subsequently, the DPO may make further recommendations to review systems and processes, and mandate additional training or support.
For further information, please email firstname.lastname@example.org