Report a Data Breach
What is a data breach?
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data. Breaches may be the result of accidental or deliberate causes. A data breach is not limited to personal data.
- Deliberate or accidental action (or inaction) by a data controller or data processor
- Sensitive personal data being made publicly available on a website
- Student contact details and financial details being accidentally emailed to inappropriate of incorrect recipients
- Alteration of personal data without appropriate authorisation
- Loss or theft of external hard drive containing research data.
What must be reported?
Any information security incident that has affected the confidentiality, integrity or availability of data, e.g.
- Personal data that has been lost, destroyed, corrupted or inappropriately disclosed.
- Business data that has been accessed or shared without appropriate authorisation.
- Research data that has become unavailable, where that unavailability has a significant negative effect on the individuals.
Why should breaches be reported?
- The longer an incident goes unreported, the longer a vulnerability may remain unaddressed allowing the incident to escalate or for further incidents to occur.
- Without timely visibility of the incident through reporting we may not be able to fulfil legal obligations. The EU General Data Protection Regulations (GDPR) places a duty on organisations to report certain types of personal data breach to the Information Commissioner's Office (in the UK's case) within 72 hours of becoming aware of the breach. Knowing that a breach has occurred and delaying reporting reduces the time available for the investigation team to understand and assist with a response and still meet legal compliance. Where the breach does not affect personal data, time is still critical and may have contractual implications.
- Understanding the cause of breaches allows us to develop and implement systems and processes that are more robust and so prevent future breaches.
Who should report?
- All employees, contractors and temporary workers.
- All students, when engaged on a programme of study or when working for the University in a paid or unpaid capacity.
- Third parties, like data processors, should follow contractual obligations with regards to reporting breaches, which may be initially to their University contacts. It is the University contact that should then report within the University. Third parties should not report incidents directly as below unless contractually bound.
When do I report data breaches?
- Data breaches should be reported as soon as possible after they are discovered.
Where do I report data breaches?
The University uses the same reporting and management process as for security incidents and weaknesses. Due to the short timescales required for regulatory reporting it is important that significant breaches are reported and processed quickly, where telephone contact is the preferred method. This may also be the preferred option for non-University users wishing to make a report. The self-service may also be used by University users where time is less critical or where corrective action has already taken place. When making a report, take care not to include personal data relating to the data subjects affected by the breach.
- Telephone CIS Service Desk on Ext 41515 (or 0191 334 1515), including out of hours, otherwise use one of the alternative routes that are periodically monitored.
- Report to CIS Service Desk using the online self-service capability. This link will open the form directly. Otherwise, use the 'User Accounts and Security' option to open a new call to report a 'Security Incident or Data Breach'. Avoid using the 'New Call' option from the initial page as this relates to IT/break/fix calls, not security incidents.
How do I report the data breach?
- Only basic details are required to report the data breach.
- Respond to the questions from the online form or Service Desk Analyst. If submitting via email, provide an outline of what has happened or has been observed.
- Do not include any personal data involved in the incident.
- Support any investigation arising as fully as possible. Information will be recorded in confidence and not retained within the workflow tool to preserve security and confidentiality.
What happens after the report is made?
- The Information Security Incident Response Team will make an initial assessment to determine the next steps.
- The severity of the incident will inform and direct the appropriate level of leadership involvement.
- An investigation may be conducted using a variety of techniques and tools, including interviews, site visits and forensic analysis.
- The outputs of the investigation may include corrective and preventive actions, formal reporting or other communications.