The General Data Protection Regulation (GDPR) creates a legal obligation to report certain data protection breaches to the Information Commissioner's Office within 72 hours of identification.
In order to comply with this requirement, all staff must notify the University's Data Protection Officer of suspected or actual data protection breaches immediately on identification.
In the event a breach is suspected or identified outside of core working hours, the Data Protection Officer must still be notified immediately.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Examples include:
Notify the Data Protection Officer immediately by telephone on 01904 323 869. When reporting a breach, you must provide:
1. a description of the incident as well as any steps taken to contain it;
2. an indication of the number of individuals affected;
3. the categories of individuals affected (e.g. University staff, students, prospective students, research participants, alumni);
4. a description of the likely consequences of the personal data breach.
If you are unable to get through to the Data Protection Officer by telephone or if you are reporting a data protection incident outside of core working hours, please email dataprotection@york.ac.uk and use subject heading 'Urgent: Data Breach'.