Skip to main content Skip to navigation

Personal Data Breach Procedure

Use the links below to quickly navigate to the information you are looking for:


This document sets out the procedure to be followed for suspected or actual personal data breach incidents and must be read in conjunction with the University's Data Protection Policy.

Purpose and scope

The purpose of this procedure is to provide a framework within which the University of Warwick (“UOW”) will ensure compliance with its legal obligations in respect of incidents.

This procedure applies to University staff, agency workers, student ambassadors, volunteers, contractors and third party agents who process data for or on behalf of the University and it must be complied with in the event of a suspected or actual personal data breach.

The University is required to keep a record of all personal data breaches. Some of these breaches must be reported to the Information Commissioner ("ICO") with undue delay and, at the latest, within 72 hours of detection. It may also need to notify individuals affected by the breach.

It is vital that all staff report a suspected or actual personal data breach, however minor, as soon as possible after discovery so that the University can investigate prompty and report to the ICO at the latest within 72 hours. Failure to report a personal data breach to the ICO (or to individuals) or a delay in doing so can result in criticism of the University by the ICO and, in serious cases, result in a fine.

Personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, theft, or unauthorised access, to personal data.

Examples of personal data breaches

  • Loss or theft of media or equipment containing personal data (encrypted and non-encrypted devices), e.g. loss of paper record, laptop, iPad or USB stick
  • Inappropriate access controls allowing unauthorised use, e.g. sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to personal data or information systems
  • Equipment failure resulting in personal data being unavailable
  • Human error, e.g. email containing personal data sent to the incorrect recipient
  • Unauthorised disclosure of sensitive or confidential information, e.g. document posted to an incorrect address or addressee
  • Unforeseen circumstances such as a fire or flood resulting in damage or destruction of personal data
  • Hacking attack resulting in a breach of confidentiality, effect on the integrity of personal data or its availability
  • ‘Blagging’ offences where personal data is obtained by deceiving the organisation who holds it
  • Insecure disposal of paperwork containing personal data

Why should breaches be reported?

The longer an incident goes unreported, the harder it gets to resolve any vulnerabilities. Impacted data subjects have a right to know that their data may have been compromised and that they could take steps that could minimise an adverse impact on them such as informing their bank that their bank details have been compromised.

The longer an incident goes unreported, the longer a vulnerability may remain unaddressed allowing the incident to escalate or for further incidents to occur. Without timely visibility of the incident through reporting the University may not be able to fulfil its legal obligations. The EU General Data Protection Regulations (GDPR) places a duty on organisations to report certain types of personal data breach to the Information Commissioner's Office (in the UK's case) without undue delay but within 72 hours of becoming aware of the breach.

Knowing that a breach has occurred and delaying reporting reduces the time available for the investigation team to understand and assist with a response and still meet privacy compliance requirements.

Understanding the cause of breaches allows us to develop and implement systems and processes that are more robust to prevent future breaches and protect personal data.

Purpose and scope

Procedure for reporting a personal data breach incident

Responsibility for reporting a suspected breach lies with the person who discovered the breach.

Suspected personal data breach incidents should be reported immediately upon discovery, using the form linked here. You should also inform your line manager, unless there is a need to report it confidentially. Reports are logged in Service Now but the University's Data Protection Officer will be made aware of the report.

The University will investigate the breach and, where appropriate, notify or involve the relevant line management and HR.

Breach reporting – to the Information Commissioner’s Office (ICO)

The DPO (or nominated deputy) upon instruction from the University will notify the ICO, without undue delay, of a reportable personal data breach.

Breach notification - data subject

Where the personal data breach is likely to result in a high risk of harm to individuals the University will notify them without undue delay.

Breach notification - to a third party

Where the personal data breach is likely to result in harm to individuals the University shall notify any affected third parties (e.g. joint data controller/ to the controller where UoW is the Data Processor) without undue delay. The University may also need to notify others, e.g. the Police and insurers.


Failure to adhere to this procedure, delay in reporting suspected of actual breach and non-reporting of breaches, may result in disciplinary action in accordance with the University Staff Disciplinary Procedure.


This procedure will be reviewed annually or where significant changes have occurred.

Help and support

If you think you detect any unusual online activity, please report it immediately.

 Self-Service Online - make requests and report incidents through our web-based tool ServiceNow.
To report a data breach now, follow this ServiceNow link to complete the process securely.
Call us on 024 765 73737. We're open 9:00am to 5:00pm, Monday to Friday (excluding bank holidays).
Email us at
Who needs to know this?

This information concerns us all. If you use a Warwick staff card, a Warwick email address, access one of our staff or student record systems or share your Warwick work with colleagues within or beyond the University, you are involved in activities that must be kept secure.

Data Protection Officer
The University of Warwick
University House
Coventry CV4 8UW