Reporting Data Breaches
What is a personal data breach?
Under data protection legislation, a personal data breach is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Breaches can be small, relating to one person, or can affect many hundreds of individuals. The impact of a breach can be significant, for the individuals affected and the University.
Breaches can affect information held electronically or in paper files, and personal data can be lost or compromised in a number of ways. The cause might be an email sent to the wrong person, a lost or stolen device such as a laptop or memory stick, hard copy paperwork being lost or disposed of incorrectly, or unauthorised or incorrect access being given to systems.
The majority of data breaches are accidental but can also be caused by unlawful actions, such as cyber security incidents.
What should you do if you discover a personal data breach?
Any personal data breach, however minor, must be reported immediately to the Data Protection Officer. This is so the matter can be assessed and we can take steps to limit the impact of a breach where possible. If you’re not sure if something is a breach, please still report it immediately.
Click HERE to report a breach or a suspected breach
Clicking the above will take you to the Breach Notification Form which asks for the information that we need to establish if a data breach has occurred, and to decide what immediate steps we need to take, including whether the breach should be reported to the Information Commissioner’s Office (‘ICO’).
If a breach is likely to have a significant impact on the individual(s), then it must be reported to the ICO within 72 hours of the University becoming aware of the breach. So it is important that all breaches are reported to the Data Protection Officer without delay.
If you don’t have all the information for the form, please just provide what you can – don’t delay in making the report whilst you gather information. Any delay can affect the steps that we can take to reduce the impact of any data breach and may also mean we do not meet the legal timescales for reporting to the ICO.
You can also contact the Data Protection Officer directly by email at dpo@sussex.ac.uk or by telephone on 01273 678472.
What happens next?
On receipt of the breach notification form, the Data Protection Officer or a colleague from the Information Management team will assess the matter and will work with you and other relevant colleagues to make sure that any personal data is secured and any impacts of the breach are minimised.
When assessing whether a breach must be reported to the ICO, the Data Protection Officer will establish the likelihood of the breach impacting the rights and freedoms of those affected, and assess the severity of any potential consequences for the individual. If there is a risk of a significant impact, then the University must notify the ICO – the Data Protection Officer is responsible for making any notification.
If we need to make a report to the ICO we will need to provide details about the nature of the personal data breach, as well as approximate numbers of individuals affected and who those individuals are. We will also need to include details of the personal data involved. We will need to report the likely consequences of the breach and the measures we have taken, or propose to take, to deal with the breach and mitigate any possible adverse effects.
Should you notify the affected data subjects?
If the breach is likely to result in a high risk to the rights and freedoms of the affected individual(s), then the University will also need to inform those concerned directly and without undue delay. The Data Protection Officer will assess if notification is required and will advise on the content of any notification, such as the steps that individuals may wish to take to mitigate the impact of the breach.
Even where the breach is not likely to result in a high risk, there may be some limited cases where we decide to notify individuals anyway. However, any notification should be discussed with the Data Protection Officer first.
Who is responsible?
The University, as the Data Controller, has legal responsibility for all personal data breaches, so staff should not be concerned about reporting a breach to us. We understand that mistakes happen and the vast majority of breaches are accidental.
However, if it is found that a personal data breach is the result of deliberate misconduct or a continued failure to comply with policies, procedures or safe data handling practices, the University may consider taking appropriate disciplinary action against those involved.
To reduce the risk of handling personal data inappropriately, staff should be familiar with the Data Protection Policy. Under the policy staff must ensure:
- that they process personal data in line with the policy and that there are adequate safeguards in place to protect personal data; and
- that they report any personal data breaches they become aware of immediately via this process.
Common breaches
Over 90% of the personal data breaches at the University relate to emails. Breaches are often caused by emails being sent to the wrong person or an email is sent to the right person, but it includes the wrong documents or information.
Please read our Guidance on the Use of Email which sets out advice on how to reduce the risk of data breaches by email.
Last updated 1 December 2021