Personal Data Breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Here are some examples of personal data breaches:
- Human error, for example an email attachment containing personal data being sent to the incorrect recipient or records being deleted accidentally;
- ‘Blagging’ whereby an individual obtains personal data by deception;
- Loss or theft of a physical file or electronic device containing personal data;
- A ransomware attack whereby access to systems or records containing personal data is disabled or encrypted;
- A cybersecurity attack whereby personal data are accessed, altered, deleted and/or disclosed by the attacker.
When a personal data breach occurs, the University must determine the likelihood of risk to individuals rights and freedoms. This includes considering negative consequences such as:
- physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights
- identity theft or fraud
- financial loss
- unauthorised reversal of pseudonymisation
- damage to reputation
- loss of confidentiality of personal data protected by professional secrecy other significant economic or social disadvantage
Depending on the risk, the University may have not notify the Information Commissioners Office (ICO) and individuals that a personal data breach has occurred.
A notifiable breach must be reported to the ICO without undue delay, but not later than 72 hours after becoming aware of it.
It is therefore important that if you suspect or are notified by somebody that there has been a data breach it must be reported immediately by the person that discovered the breach by completing the data breach form or by telephoning the IT Service Desk number +44 (0) 24 7765 7777.
If you have any doubts or are not sure if a personal data breach has occurred, please report it and we will investigate further.