Use the links below to quickly navigate to the information you are looking for:
- Purpose and scope
- Personal data breach
- Examples of personal data breaches
- Why should breaches be reported?
- Procedure for reporting a personal data incident breach
- Breach reporting –to the Information Commissioner’s Office (ICO)
- Breach notification - data subject
- Breach notification - to a third party
This document sets out the guidance and procedure for personal data breach incidents and must be read in conjunction with the University’s Data Protection Policy [this will be updated from 25 May 2018].
The purpose of this procedure is to provide a framework within which the University of Warwick (“UOW”) will ensure compliance with the legislative requirements of managing a personal data breach incident, or suspected personal data breach incident.
This procedure applies to University staff, agency workers, student ambassadors, volunteers, contractors and third party agents who process data for or on behalf of the University and it must be complied with in the event of a personal data breach.
The University is required to keep a record of all security incidents involving personal data. Some of these incidents must be reported to the Information Commissioner within 72 hours of detection, and without undue delay to individuals affected by the incident. It is vital that all staff report a personal data breach, or suspected personal data breach, however minor, as soon as possible after discovery so that we can use the 72 hours to establish what has happened, the size of the breach and whether it needs to be reported further.
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, theft, or unauthorised access, to personal data.
- Loss or theft of personal data or equipment (encrypted and non-encrypted devices) on which personal data is stored, e.g. loss of paper record, laptop, iPad or USB stick
- Inappropriate access controls allowing unauthorised use, e.g. sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to personal data or information systems
- Equipment failure
- Human error, e.g. email containing personal data sent to the incorrect recipient
- Unauthorised disclosure of sensitive or confidential information, e.g. document posted to an incorrect address or addressee
- Unforeseen circumstances such as a fire or flood
- Hacking attack
- ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it
- Insecure disposal of paperwork containing personal data
The longer an incident goes unreported, the harder it gets to resolve any vulnerabilities. Impacted data subjects have a right to know that their data may have been compromised and that they could then take steps that could minimise an adverse impact on them such as informing their bank that their bank details have been compromised.
The longer an incident goes unreported, the longer a vulnerability may remain unaddressed allowing the incident to escalate or for further incidents to occur. Without timely visibility of the incident through reporting the University may not be able to fulfil its legal obligations. The EU General Data Protection Regulations (GDPR) places a duty on organisations to report certain types of personal data breach to the Information Commissioner's Office (in the UK's case) within 72 hours of becoming aware of the breach.
Knowing that a breach has occurred and delaying reporting reduces the time available for the investigation team to understand and assist with a response and still meet privacy compliance requirements.
Understanding the cause of breaches allows us to develop and implement systems and processes that are more robust to prevent future breaches and protect personal data.
The primary point of contact for reporting a data breach incident is the Group Data Protection Officer (DPO) in the Information and Data Compliance Team (IDC).
Responsibility for reporting a suspected breach lies with the person who discovered the breach.
Suspected personal data breach incidents should be reported immediately upon discovery, in writing (or by phone if that is not possible), to the Data Protection Officer (DPO) in the Information and Data Compliance Team (IDC) at DPO@warwick.ac.uk, using the form linked here. This form should be sent by email and copied to your line manager (unless there is a need to report it confidentially to the DPO).
The DPO (or nominated deputy) will investigate the breach and, where appropriate, notify relevant line management and HR.
The DPO (or nominated deputy) will notify the ICO, without undue delay, of a reportable personal data breach.
Where the personal data breach, or suspected personal data breach, is likely to result in impacting the rights and freedoms of the data subject the University shall notify the affected data subjects, without undue delay, in accordance with the DPO’s (or nominated deputy’s) recommendations.
Where the personal data breach, or suspected personal data breach, is likely to result in impacting the rights and freedoms of the data subject the University shall notify the affected third parties (e.g. joint data controller/ to the controller where UOW is the processor) without undue delay, in accordance with the DPO’s (or nominated deputy’s) recommendations. The University may also need to notify others, e.g. the Police and insurers.
Failure to adhere to this procedure, delay in reporting the breach to the DPO and non-reporting of breaches, may result in disciplinary action in accordance with the University Staff Disciplinary Procedure.
This procedure will be reviewed annually or where significant changes have occurred.
|Approval date||14th May 2018|
|Author||Anjeli Bajaj Group Data Protection Officer|
|Date of commencement||15th May 2018|
|Related Policies, Procedures, Guidance, Forms or Templates||Data Protection Policy|