Data Breach Notification
The GDPR defines a data breach as
A breach of personal must be reported to the Data Protection Commission not later than 72 hours after having become aware of it.
All breaches or suspected incidents should be reported to firstname.lastname@example.org without delay for assessment. A data protection breach is not a disciplinary issue. Once the breach has been reported the Data Protection Officer will take responsibility for next steps.
For more information please see the University Personal Data Breach Procedural Guidelines.
A data breach usually occurs when:
- there is an unauthorised or accidental disclosure of, or access to, personal data;
- there is an unauthorised or accidental alteration of personal data; or
- there is an accidental or unauthorised loss of access to, or destruction of, personal data.
Data breaches may occur in a variety of contexts, such as:
- Disclosing confidential data to unauthorised individuals
- Human error (e.g. emails being sent to the wrong recipient)
- Loss or theft of data (e.g. on a memory stick, laptop or paper records)
- Inappropriate access controls (e.g. using unsecure passwords)
- Equipment failure
- Confidential information being left unlocked in accessible areas (e.g. leaving IT equipment unattended when logged into a user account, leaving documents on top of shared photocopiers)
- Hacking, viruses or other security attacks on IT equipment systems or networks e.g. Ransomware
- Breaches of physical security (e.g. forcing of doors/windows/filing cabinets)
It is much better to report a data protection breach straight away than to "cover it up" and risk negative consequences down the line.
Further information in respect of breach notification is available from the Data Protection Commission.