Accessibility statement

Data Protection Breach Procedure 

The General Data Protection Regulation (GDPR) creates a legal obligation to report certain data protection breaches to the Information Commissioner's Office within 72 hours of identification.

In order to comply with this requirement, all staff must notify the University's Data Protection Officer of suspected or actual data protection breaches immediately on identification.

In the event a breach is suspected or identified outside of core working hours, the Data Protection Officer must still be notified immediately. 

1. What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. 

Examples include:

  • theft or other loss of a personal or university owned laptop, tablet, USB drive, mobile phone or other device that stores university owned personal data; 
  • unauthorised 3rd party access to personal data; 
  • alteration or deletion of personal data without permission; 
  • loss of availability of personal data; 
  • uncontrolled system changes;
  • human error e.g. personal data being emailed to the wrong recipient or sent to the wrong recipient by post.  

2. On discovery of a breach, what do I need to do?

Notify the Data Protection Officer immediately by telephone on 01904 323 869. When reporting a breach, you must provide: 

1. a description of the incident as well as any steps taken to contain it; 

2. an indication of the number of individuals affected; 

3. the categories of individuals affected (e.g. University staff, students, prospective students, research participants, alumni);  

4. a description of the likely consequences of the personal data breach.

If you are unable to get through to the Data Protection Officer by telephone or if you are reporting a data protection incident outside of core working hours, please email dataprotection@york.ac.uk and use subject heading 'Urgent: Data Breach'.