The General Data Protection Regulation (GDPR) creates a legal obligation to report certain data breaches to the Information Commissioner's Office within 72 hours of identification.
In order to comply with this requirement, all staff must notify the University's Data Protection Officer of suspected or actual data breaches immediately on identification.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Source: Information Commissioner's Office, Guide to the General Data Protection Regulation (GDPR)
Notify the Data Protection Officer immediately by telephone on 01904 323 869. When reporting a breach, you must provide:
1. a description of the incident as well as any steps taken to contain it;
2. an indication of the number of individuals affected;
3. the categories of individuals affected (e.g. staff, students, prospective students, research participants);
4. a description of the likely consequences of the personal data breach.
If you are unable to get through to the Data Protection Officer by telephone or if you are reporting a data protection incident outside of core hours, please email firstname.lastname@example.org and use subject heading 'Urgent: Data Breach'.