Information Governance and Security
- / Information Governance and Security /
- Information Governance /
- Information Governance For The University /
- Data Protection /
- Data Breaches
Any Personal Data Breach must be reported immediately (via the link below) after it is discovered.
The University must decide within 72 hours (including weekends) of the moment you become aware of the breach whether to notify the Information Commissioner's Office. Do not delay reporting the breach otherwise the University is at risk of missing the statutory deadline.
If you become aware of an actual or suspected data breach
IMMEDIATELY REPORT THE INCIDENT VIA THE SERVICE DESK LINK BELOW
You should also include the name of your line manager within the report and let them know immediately about the incident
- Click the link above and log in to TopDesk using your normal Keele credentials;
- Click on the 'Information Security' tile;
- Click on the 'Report a Breach' link (top right);
- Complete the reporting form and submit.
You will receive a confirmation email with an Incident number in the subject line - use this Incident number in the subject line of any further correspondance to email@example.com to log to the same incident
(Don't worry if you can't supply all the information - give as much as you can as early as you can, you can always follow up later)
What is a personal data breach?
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. The following are examples of personal data breaches (and this is by no means exhaustive!):
- Loss of a device containing personal data (especially if unencrypted);
- Email containing personal data sent to wrong email address;
- Unauthorised access to SCIMS (or any other personal data system);
- Destruction of personal information in a fire (where no backup exists);
- Document(s) on Google drive being shared to unauthorised people;
- Personal data viewed on peoples desks etc by unauthorised people;
- University systems hacked and personal data stolen/altered/destroyed.
What breaches do Keele need to report to the ICO?
We only need to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals e.g. result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
This has to assessed on a case by case basis. For example, we would need to notify the ICO about a loss of student details where the breach leaves individuals open to identity theft. One the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.
The DPO will normally make the assessment of whether to report to the ICO and will make the report if necessary.
When do individuals have to be notified?
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly.
The DPO will advise whether it is neccesary to inform the individuals. Sometimes it may be that we consider that the risk might not reach the 'hiugh risk' bar but that we would still like to notify the individuals (e.g. where we might consider that they may well become aware of the breach and it would be better that we have told them before they find out otherwise)
A ‘high risk’ means the threshold for notifying individuals is higher than notifying the ICO.
What information must we provide to individuals when telling them about a breach?
You need to describe, in clear and plain language, the nature of the personal data breach and, at least:
- the name and contact details of our Data Protection Officer (Anne-Marie Long, email: firstname.lastname@example.org) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects
How to deal with an incident
The most important message here is to act quickly.
If you are aware of, or suspect there has been, a breach - remember we only have 72 hours* to consider our responce with respect to reporting this, but as importantly we should act as quickly as possible to mitigate any potential damage to the data subjects affected. Please do not wait until you have all the details before loging a report - log it as soon as you can and then follow up with more details as they arise. Please follow the reporting instructions below.
Mitigation may include:
- Attempting to recover lost data if possible (e.g. retrieving lost equipment or paperwork);
- Removing data that has been released in error (e.g. removing offending file from the internet);
- locating back-up data for lost/corrupted data;
- Immediately change passwords if you think your account has been compromised (e.g. you have been the victim of a phishing attack and have given out your login details).
If you need any specific IT technical help or assistance then also log a separate enquiry with the IT service desk
*This time limit is effective under GDPR from 25th May 2018