A breach of the Data Protection Act could damage the University College’s reputation in addition to the Information Commissioner fining the institution up to £500,000 for a serious breach.
What constitutes a data protection breach?
A data breach would be caused when (and this not an exhaustive list):
A laptop containing personal data is lost or stolen
A memory stick (USB) containing personal data is lost or stolen
An unencrypted memory stick is used to store personal data in breach of the University College’s own policies
A vehicle containing a laptop or paper files is broken in to and personal data is stolen
A laptop or paper files are stolen from a private property
An email is sent (either internally or externally) containing personal data and the email is sent to the wrong email address
An email is sent (either internally or externally) containing personal data which is far in excess of that necessary in order for the business function to be carried out
An email is sent (either internally or externally) which should be sent “bcc” to a large number of individuals, is instead, sent “to” and so the recipient is aware who else has received the email and their personal email address or other personal details
A fax is sent containing personal data and the fax is sent to the wrong number
Personal data is shared outside of the University College for a legitimate business reason, but it is lost by the recipient, or it is stolen from the recipient, or it is used by the recipient in a manner for which they have no authority for
Personal data is transferred electronically outside the University College and is not encrypted in accordance with University College policies
Paper files of personal data are left unattended and are taken or copied and then used for an unauthorised purpose
A member of staff uses personal data for a personal rather than a University College business reason
How should a data breach be reported?
Immediate action must be taken to report the data breach to a member of the Senior Management Team. The Data Protection Officer must always be informed.
Action must be taken immediately to contain/minimise/remedy the breach.
A report should be submitted to the Data Protection Officer detailing:
The circumstances surrounding how the breach occurred
The extent of the breach
The implications of the breach
The actions which have been taken/are needed to be taken to contain/minimise/remedy the breach
Actions to ensure processes are amended to prevent future occurrence of the breach
The Data Protection Officer will complete the internal Security Breach Notification form, a copy of which will be forwarded to the Deputy Principal. In consultation with the Deputy Principal a decision will be made as to whether the breach will be notified to the individuals affected and/or to the Information Commissioners Office. Consideration will be given to:
The number of individuals who have been affected by the breach
The sensitivity of the data lost/released/unlawfully corrupted
The severity of the potential consequences
Any legal or contractual requirements
Advisory documentation produced by the Information Commissioners Office