Accessibility statement

Method statement – Data loss and information security breach management

1. Introduction

1.1 This method statement describes elements to consider and address in the event of data loss or an information security breach. It will assist the University in determining appropriate courses of action if a security breach involving personal or confidential data occurs and dealing with any security breach effectively. It forms part of the University’s Information Security and Data Protection policies.

1.2 Data loss and security breaches can happen for a number of reasons and occur in different contexts. They may encompass more than personally identifiable information (eg trade secrets or intellectual property, denial of service, technical malfunctions).

1.3 The University must take appropriate measures against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach management policy constitutes one of these measures and supports the University’s obligations under principle 5 (1) (f) of the UK GDPR.

1.4 Breaches of information security, duties of care, confidentiality and integrity (including inappropriate access to or loss of research data) constitute unacceptable research conduct, as governed by the University’s Policy on Research Integrity and its research and academic misconduct policies.

1.5 The method statement should be used alongside policy and guidelines issued by the University of York.

2. Breach management

2.1 Breaches of information security must be reported as soon as discovered and notified in accordance with the reporting protocols and principles given in the University’s Incident Management Policy (see 4.1).

2.2 Breach management has four important strategic elements. When a security breach is discovered the priorities are:

  1. containment and recovery, to limit as far as possible any damage.
  2. assess the risks associated with the breach. A risk assessment will help inform decisions about remedial actions and notification.
  3. notifying the appropriate people/organisations that a breach has occurred.
  4. understand the causes and evaluate the effectiveness of its response to the incident, revising as necessary its information security measures in the light of any findings.

2.3 Actions and points for consideration by the investigation lead when addressing the four strands are given in the supporting guidance: Checklist for information security breaches.

2.4 University Officers, Heads of Departments and Section Heads will work with relevant stakeholders, data protection and security specialists and the Information Security Board, where appropriate, to investigate any reported breach in their area of responsibility. They will assist in the timely reporting of breaches and remedial actions to the Director of Technology, Estates and Facilities and Information Security Board.

2.5 Departments holding data supplied by a third-party organisation, where there is a contractual duty to report an incident to that organisation within a particular timeframe, must respect the reporting timescales and guidelines agreed in the governing agreement or terms of use, having first consulted the Director of Technology, Estates and Facilities.

2.6 The Information Security Board will monitor and review information security incidents to identify recurring incidents and areas of risk. The review process will be used to identify requirements for new or changed policies, to update the University risk register and to identify any other relevant controls. The Data Protection Officer will determine notification to the Information Commissioner’s Office.

3. Oversight

3.1 The Information Security Board, chaired by the Director of Technology, Estates and Facilities, will monitor the effectiveness of this method statement and carry out regular reviews.

4. Policy and implementation documents

4.1 Information Security Policy – Incident management policy

4.2 Guidance - Checklist for information security breach

Document history and status

26 March 2014 Approved by Information Policy Executive
24 April 2014 Approved by Information Security Board
29 January 2016 Reviewed and approved by Information Security Board
23 March 2017 Reviewed and approved by Information Security Board
3 July 2017 Addition of 2.7 approved by Information Security Board
20 June 2018 Reviewed and approved by Information Security Board
4 March 2021 Reviewed and approved by Information Security Board


Review cycle: Annual

Date of next review: March 2022