Data Protection Breaches
Under the GDPR a breach which is reportable to the Data Protection Commission must be reported not later than 72 hours after having become aware of it. All breaches or suspected breaches should therefore be reported to the Data Protection Officer without delay for assessment.
A personal data protection breach ("data breach" in short) usually occurs when:
- there is an unauthorised or accidental disclosure of, or access to, personal data.
- there is an unauthorised or accidental alteration of personal data.
- there is an accidental or unauthorised loss of access to, or destruction of, personal data.
The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Data breaches may occur in a variety of contexts, such as:
- Loss or theft of data (e.g. on a memory stick, laptop or paper records)
- Inappropriate access controls (e.g. using unsecure passwords)
- Equipment failure
- Confidential information being left unlocked in accessible areas (e.g. leaving IT equipment unattended when logged into a user account, leaving documents on top of shared photocopiers)
- Disclosing confidential data to unauthorised individuals
- Human error (e.g. emails being sent to the wrong recipient)
- Hacking, viruses or other security attacks on IT equipment systems or networks e.g. Ransomeware
- Breaches of physical security (e.g. forcing of doors/windows/filing cabinets)
If a data breach has occurred, you will be asked to complete the Data Protection Breach Report Template and email it to firstname.lastname@example.org as soon as possible. It is much better to report a data protection breach straight away than to "cover it up" and risk negative consequences down the line. A data protection breach is not a disciplinary issue, and once the breach has been reported the Data Protection Officer will handle things from there.
The likelihood or severity of a data breach in your area can be greatly reduced by following our Guidelines for Staff.
For more information, please see the Procedural Guidelines for Personal Data Security Breaches (PDF).