Updated 13 December 2018
Under the General Data Protection Regulation (GDPR) data controllers, such as UCL, have a responsibility to ensure that the personal data they are processing is done in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
In cases where there has been an incident which resulted in a potential breach of the GDPR, it is imperative that you report this immediately to Information Security Group (ISG).
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
- Examples of reportable breaches and 'near misses'
While this list is non-exhaustive it does give examples of some of the more common data breaches and 'near misses' that should be reported.
- Accessing personal data by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor affecting the security of personal data;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- altering personal data without permission;
- losing the availability of personal data; and
- any 'near miss' incident that had the potential to cause a data breach even though it might not have done so.
- Potential consequences and the effect of a breach
Whilst UCL could face potential fines of €20m or 4% of global turnover for data breaches, it is often the unseen consequences that have a greater impact, for example the harm to the individual. A breach resulting in privacy harm to an individual could leave them with lasting damage and could result in secondary consequences for the individual.
Furthermore, Article 28 notes that “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” As such, one consequence of a data breach could be that a 3rd party organisation does not recognise that UCL can provide sufficient guarantees and therefore stop the transfer and/or processing of data. This could have a detrimental impact on UCLs core business.
- Method of reporting
The Information Security Group (ISG) and The Data Protection Officer (DPO) are responsible for handling data breaches. If you believe there has been a breach of personal data you must complete email@example.com.
If the breach relates to electronic records you should also notify your local computer representative.To identify and assess the nature of the breach, you should provide ISG with the following information:
- full details as to the nature of the breach;
- an indication as to the volume of material involved;
- the sensitivity of the breach; any timeframes that apply;
- users should put in [GDPR] in the subject line when reporting the breach to ISG.
- What happens next?
Once Information Security Group (ISG) has been notified, they will work with the DPO to undertake an assessment of the breach and carry out an investigation. Where there is evidence of a breach it is important to ensure that processes and practices are in place to ensure it does not reoccur.
The key considerations will include:
- the potential harm to the data subjects(s);
- the sensitivity of the data;
- the volume of data.
ISG and the Data Protection Office will notify the ICO of all data breaches. You should ensure that you record all breaches.
- Key points to consider
- Compliance with the GDPR is NOT optional;
- Report any loss of personal data to the Information Security Group immediately (users should put in [GDPR] in the subject line);
- Advise staff and students on the implementation of and compliance with the UCL Data Protection policy and any associated guidance/codes of practice;
- Ensure appropriate technical and organisational measures are taken to ensure against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
- Support UCL’s notification with the ICO by maintaining a register of holdings of personal data, including databases and relevant filing systems, and the purposes of processing.
- Undertake the current DPA and ISG training