What constitutes a data protection breach?

Download 7 Kb.
TitleWhat constitutes a data protection breach?
Date conversion11.03.2013
Size7 Kb.
See also:
Data security breaches

A breach of the Data Protection Act could damage the University College’s reputation in addition to the Information Commissioner fining the institution up to £500,000 for a serious breach.

What constitutes a data protection breach?

A data breach would be caused when (and this not an exhaustive list):

  • A laptop containing personal data is lost or stolen

  • A memory stick (USB) containing personal data is lost or stolen

  • An unencrypted memory stick is used to store personal data in breach of the University College’s own policies

  • A vehicle containing a laptop or paper files is broken in to and personal data is stolen

  • A laptop or paper files are stolen from a private property

  • An email is sent (either internally or externally) containing personal data and the email is sent to the wrong email address

  • An email is sent (either internally or externally) containing personal data which is far in excess of that necessary in order for the business function to be carried out

  • An email is sent (either internally or externally) which should be sent “bcc” to a large number of individuals, is instead, sent “to” and so the recipient is aware who else has received the email and their personal email address or other personal details

  • A fax is sent containing personal data and the fax is sent to the wrong number

  • Personal data is shared outside of the University College for a legitimate business reason, but it is lost by the recipient, or it is stolen from the recipient, or it is used by the recipient in a manner for which they have no authority for

  • Personal data is transferred electronically outside the University College and is not encrypted in accordance with University College policies

  • Paper files of personal data are left unattended and are taken or copied and then used for an unauthorised purpose

  • A member of staff uses personal data for a personal rather than a University College business reason

How should a data breach be reported?

Immediate action must be taken to report the data breach to a member of the Senior Management Team. The Data Protection Officer must always be informed.

Action must be taken immediately to contain/minimise/remedy the breach.

A report should be submitted to the Data Protection Officer detailing:

  • The circumstances surrounding how the breach occurred

  • The extent of the breach

  • The implications of the breach

  • The actions which have been taken/are needed to be taken to contain/minimise/remedy the breach

  • Actions to ensure processes are amended to prevent future occurrence of the breach

The Data Protection Officer will complete the internal Security Breach Notification form, a copy of which will be forwarded to the Deputy Principal. In consultation with the Deputy Principal a decision will be made as to whether the breach will be notified to the individuals affected and/or to the Information Commissioners Office. Consideration will be given to:

  • The number of individuals who have been affected by the breach

  • The sensitivity of the data lost/released/unlawfully corrupted

  • The severity of the potential consequences

  • Any legal or contractual requirements

  • Advisory documentation produced by the Information Commissioners Office

Add document to your blog or website
Place this button on your site:

The database is protected by copyright ©enconv.org 2014
send message
Main page