Use the links below to quickly navigate to the information you are looking for:
- Purpose and scope
- Personal data breach
- Examples of personal data breaches
- Why should breaches be reported?
- Procedure for reporting a personal data incident breach
- Breach reporting –to the Information Commissioner’s Office (ICO)
- Breach notification - data subject
- Breach notification - to a third party
This document sets out the procedure to be followed for suspected or actual personal data breach incidents and must be read in conjunction with the University's Data Protection Policy.
The purpose of this procedure is to provide a framework within which the University of Warwick (“UOW”) will ensure compliance with its legal obligations in respect of incidents.
This procedure applies to University staff, agency workers, student ambassadors, volunteers, contractors and third party agents who process data for or on behalf of the University and it must be complied with in the event of a suspected or actual personal data breach.
The University is required to keep a record of all personal data breaches. Some of these breaches must be reported to the Information Commissioner ("ICO") with undue delay and, at the latest, within 72 hours of detection. It may also need to notify individuals affected by the breach.
It is vital that all staff report a suspected or actual personal data breach, however minor, as soon as possible after discovery so that the University can investigate prompty and report to the ICO at the latest within 72 hours. Failure to report a personal data breach to the ICO (or to individuals) or a delay in doing so can result in criticism of the University by the ICO and, in serious cases, result in a fine.
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, theft, or unauthorised access, to personal data.
- Loss or theft of media or equipment containing personal data (encrypted and non-encrypted devices), e.g. loss of paper record, laptop, iPad or USB stick
- Inappropriate access controls allowing unauthorised use, e.g. sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to personal data or information systems
- Equipment failure resulting in personal data being unavailable
- Human error, e.g. email containing personal data sent to the incorrect recipient
- Unauthorised disclosure of sensitive or confidential information, e.g. document posted to an incorrect address or addressee
- Unforeseen circumstances such as a fire or flood resulting in damage or destruction of personal data
- Hacking attack resulting in a breach of confidentiality, effect on the integrity of personal data or its availability
- ‘Blagging’ offences where personal data is obtained by deceiving the organisation who holds it
- Insecure disposal of paperwork containing personal data
The longer an incident goes unreported, the harder it gets to resolve any vulnerabilities. Impacted data subjects have a right to know that their data may have been compromised and that they could take steps that could minimise an adverse impact on them such as informing their bank that their bank details have been compromised.
The longer an incident goes unreported, the longer a vulnerability may remain unaddressed allowing the incident to escalate or for further incidents to occur. Without timely visibility of the incident through reporting the University may not be able to fulfil its legal obligations. The EU General Data Protection Regulations (GDPR) places a duty on organisations to report certain types of personal data breach to the Information Commissioner's Office (in the UK's case) without undue delay but within 72 hours of becoming aware of the breach.
Knowing that a breach has occurred and delaying reporting reduces the time available for the investigation team to understand and assist with a response and still meet privacy compliance requirements.
Understanding the cause of breaches allows us to develop and implement systems and processes that are more robust to prevent future breaches and protect personal data.
Responsibility for reporting a suspected breach lies with the person who discovered the breach.
Suspected personal data breach incidents should be reported immediately upon discovery, using the form linked here. You should also inform your line manager, unless there is a need to report it confidentially. Reports are logged in Service Now but the University's Data Protection Officer will be made aware of the report.
The University will investigate the breach and, where appropriate, notify or involve the relevant line management and HR.
The DPO (or nominated deputy) upon instruction from the University will notify the ICO, without undue delay, of a reportable personal data breach.
Where the personal data breach is likely to result in a high risk of harm to individuals the University will notify them without undue delay.
Where the personal data breach is likely to result in harm to individuals the University shall notify any affected third parties (e.g. joint data controller/ to the controller where UoW is the Data Processor) without undue delay. The University may also need to notify others, e.g. the Police and insurers.
Failure to adhere to this procedure, delay in reporting suspected of actual breach and non-reporting of breaches, may result in disciplinary action in accordance with the University Staff Disciplinary Procedure.
This procedure will be reviewed annually or where significant changes have occurred.
|Responsibility of||Legal and Compliance Services|
|Approval date||8th December 2020|
|Author||Rachel Gower, Data Protection Officer|
|Date of commencement||8th December 2020|
|Approved by||Legal and Compliance Services|
|Related Policies, Procedures, Guidance, Forms or Templates||Data Protection Policy|
Help and support
If you think you detect any unusual online activity, please report it immediately.
Who needs to know this?
This information concerns us all. If you use a Warwick staff card, a Warwick email address, access one of our staff or student record systems or share your Warwick work with colleagues within or beyond the University, you are involved in activities that must be kept secure.
Data Protection Officerdpo@warwick.ac.uk
The University of Warwick
Coventry CV4 8UW