The General Data Protection Regulation (GDPR) creates a legal obligation to report certain data breaches to the Information Commissioner's Office within 72 hours of identification.

In order to comply with this requirement, all staff must notify the University's Data Protection Officer of suspected or actual data breaches immediately on identification. 

1. What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. 

Examples include:

  • theft or other loss of a laptop, tablet, USB drive, mobile phone or other device that stores personal data, whether or not the device is owned by the University of York;
  • unauthorised 3rd party access to personal data; 
  • alteration or deletion of personal data without permission; 
  • unwanted disruption or denial of service; 
  • uncontrolled system changes;
  • human error e.g. personal data being emailed to the wrong recipient or sent to the wrong recipient by post.  

Source: Information Commissioner's Office, Guide to the General Data Protection Regulation (GDPR) 


2. On discovery of a breach, what do I need to do?

Notify the Data Protection Officer immediately by telephone on 01904 323 869. When reporting a breach, you must provide: 

1. a description of the incident as well as any steps taken to contain it; 

2. an indication of the number of individuals affected; 

3. the categories of individuals affected (e.g. staff, students, prospective students, research participants);  

4. a description of the likely consequences of the personal data breach.

If you are unable to get through to the Data Protection Officer by telephone or if you are reporting a data protection incident outside of core hours, please email and use subject heading 'Urgent: Data Breach'.