In cases where there has been an incident which resulted in a potential breach of personal data, it is imperative that it is reported immediately to Information Security Group (ISG).
- Recognising a personal data breach
- Consequences of a personal data breach
- Report a personal data breach
- The process after reporting a personal data breach
- Preventative security measures
Recognising a personal data breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Personal data breaches can be the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Examples of personal data breaches
This list is non-exhaustive but it does give examples of some of the more common data breaches and 'near misses' that must be reported.
- accessing personal data by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor affecting the security of personal data;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- altering personal data without permission;
- losing the availability of personal data; and
- any 'near miss' incident that had the potential to cause a data breach even though it might not have done so.
Consequences of a personal data breach
The consequences are far-reaching, the potential harm it might cause to the individual(s) whom the personal data is about, and UCL icould face serious fines and negative impact on reputation.
While UCL could face potential fines of twenty million Euros or four percent of global turnover for data breaches, it is often the unseen consequences that have a greater impact, for example, the harm to the individual. A breach resulting in privacy harm to an individual could leave them with lasting damage and could result in secondary consequences for the individual.
Furthermore, Article 28 notes that “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this regulation and ensure the protection of the rights of the data subject.” As such, one consequence of a data breach could be that a 3rd party organisation does not recognise that UCL can provide sufficient guarantees and therefore stop the transfer and/or processing of data. This could have a detrimental impact on UCLs core business.
The Information Security Group (ISG) and The Data Protection Officer (DPO) are responsible for handling data breaches. All potential personal data security breaches should be reported separately as soon as they are discovered. If for any reason you are unsure whether an issue constitues a personal data security breach, please still report it.
If you believe there has been a breach of personal data you must complete the Personal Data Breach Reporting Form below and email it to Information Security Group.
and send it to ISG: email@example.com.
Other methods of reporting:
If you have trouble filling in the above form then you should provide ISG with at least the following information:
- full details as to the nature of the breach;
- an indication as to the volume of material involved;
- the sensitivity of the breach; any timeframes that apply;
- users should put in [DPL] in the subject line when reporting the breach to ISG.
If the incident is of a critical nature; or you have not heard back from ISG, or if you have trouble with e-mails then you telephone them on the following number:
- Telephone: (0)20 7679 7338 (internal 37338)
If the breach relates to electronic records you should also notify your local UCL computer representative.
The process after a personal data breach is reported
Once the Information Security Group (ISG) has been notified, they will work with the DPO to undertake an assessment of the breach and carry out an investigation.
The key considerations will include:
- the potential harm to the data subjects(s);
- the sensitivity of the data;
- the volume of data.
- The DPO will notify the ICO if required.
Preventative security measures
Avoid personal data breaches by following these guidelines and in general following the data protection guidance.
- Advise staff and students on the implementation of and compliance with the UCL Data protection policy and any associated guidance/codes of practice.
- Ensure appropriate technical and organisational measures are taken to ensure against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Support UCL’s notification with the ICO by maintaining a register of holdings of personal data, including databases and relevant filing systems, and the purposes of the processing.
- Undertake the current DPA and ISG training