Procedures for Personal Data Security Breaches
A personal data security breach ("data breach" in short) occurs when personal data is made available to one or more third parties without the consent of the data subject. Data breaches may occur in a variety of contexts, such as:
- Loss or theft of data (e.g. on a memory stick, laptop or paper records)
- Inappropriate access controls (e.g. using unsecure passwords)
- Equipment failure
- Confidential information being left unlocked in accessible areas (e.g. leaving IT equipment unattended when logged into a user account, leaving documents on top of shared photocopiers)
- Disclosing confidential data to unauthorised individuals
- Human error (e.g. emails being sent to the wrong recipient)
- Hacking, viruses or other security attacks on IT equipment systems or networks
- Breaches of physical security (e.g. forcing of doors/windows/filing cabinets)
The likelihood or severity of a data breach in your area can be greatly reduced by following our Guidelines for Staff.
If you become aware of a data breach, or suspect that a data breach may have occurred, please report the incident immediately to the Information Compliance Officer. If a data breach has occurred, you will be asked to complete the Personal Data Security Breach Report Form (PDF) and email it to firstname.lastname@example.org as soon as possible.
It is much better to report a data protection breach straight away than to "cover it up" and risk negative consequences down the line. A data protection breach is not a disciplinary issue, and once the breach has been reported the Information Compliance Office will handle things from there.
For more information, please see the Procedural Guidelines for Personal Data Security Breaches (PDF).