Broadcast: News items

Data breaches in the news – a ‘real life’ reminder of how important it is to safeguard the University’s personal data and sensitive information

You may have noticed several recent high profile data breach cases which have appeared in the news over the past month or two; these cases, both involving the accidental release of sensitive personal information, serve as a reminder to us all of the importance of safeguarding the University’s information and personal data.

In one case involving the Police Service of Northern Ireland (PSNI), names of all police and civilian personnel, where they were based, and their roles were published online. A second matter saw the accidental release by Norfolk and Suffolk police forces of information about 1,230 people, amongst them victims and witnesses of crime, including descriptions of sexual offences and domestic assaults, as part of a response to a Freedom of Information request.

Whilst many of the University’s data breaches are low-risk, usually human error relating to email (e.g. using the cc function instead of bcc, sending emails to the incorrect recipients, including incorrect attachments), these real life cases that we’ve seen in the news recently are a reminder that a simple mistake can also have more serious consequences, both reputationally and in terms of potential harm to the individuals involved.

As such, it is important to stay vigilant and be mindful whenever processing personal data, and to familiarise yourself with the University’s policies and processes relating to data protection, as well as guidance issued by the Information Management team around how to avoid breaches, especially when using email.

As inevitably some breaches will still occur, it is equally important that all staff are aware of when and how to report a data breach. Personal data breaches need to be reported to the University’s Data Protection Officer (DPO) immediately (as soon you become aware of a breach, whether or not it has originated with you). There is a data breach reporting form on our webpages – and it is worth bookmarking this site for easy access. Completing the form is the best way to report, as it ensures that the key information the DPO needs to assess the breach is captured.

Reporting urgently not only increases the chance of being able to stop and/or mitigate the impact of the breach, but it also means that we can meet our reporting requirements in the case of more serious breaches, which need to be reported to the Information Commissioner’s Office within 72 hours.

It is also important to remember that information security breaches can occur even if personal data is not involved, as the University also handles other sensitive information (e.g. commercially sensitive data, research data) and can be a target of attempted cyber attacks. More information and resources about information security can be found on the ITS webpages.

If you have any questions, please don’t hesitate to contact the University’s Information Management team at dpo@sussex.ac.uk. More general data protection queries can be sent to GDPR@sussex.ac.uk