Do you know how to recognise a personal data breach, and would you be confident of the process to follow if you discovered one? Questions about data breaches are among the most common queries we receive, and it is also the topic that can cause the most anxiety, with fear of hefty financial penalties for the University being high on many people’s list of concerns. We have put together the guide below to equip you with the knowledge of how to deal with a breach should you ever find yourself in that situation. Please do get in touch if you have any questions or feedback, we would love to hear from you.
1. What is “personal data”?
Personal data is any information that tells you something about a living individual, for example:
- name, address, telephone number, email address, or other contact details
- date of birth, National Insurance number, or other identification details
- exam results, assessment feedback, and in some cases student’s work itself,
- opinions or views expressed about an individual.
There are also special categories of personal data that need more protection due to the increased potential risk to individuals (e.g. of discrimination) if the information is misused. This includes:
- racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership;
- genetic data; biometric data (where used for identification purposes);
- data concerning health; data concerning a person’s sex life; and data concerning a person’s sexual orientation.
There are also additional protections around information about criminal offences/convictions, due to the sensitivity.
2. What is a “personal data breach”?
A personal data breach describes what happens when any personal data is:
- disclosed in error;
- lost or stolen;
- destroyed;
- corrupted or otherwise unavailable, where this affects the individuals significantly;
- accessed or shared without authorisation.
Some examples of personal data breaches that have been reported to us are as follows:
- An email about a student’s personal situation that was accidentally sent to the wrong recipient.
- A contact list of names and phone numbers from an event that was left behind in the meeting room after the event.
- Accidental recording of a personal conversation between a tutor and a student at the end of a live lecture, which was then automatically uploaded to ChiView.
- Assessment feedback for a whole group of students accidentally sent to one individual.
- Information about a student’s Covid-19 test result shared more widely than necessary.
- A “phishing” email that a member of staff was a victim of, leading to them providing their University account username and password to the attackers.
- Information about personal furlough arrangements sent to the wrong staff member.
- Completed application form sent to an applicant rather than the blank/template form.
- A photograph of students that was sent by a lecturer to the local press without the students’ permission.
3. Why do we report personal data breaches?
There are three main reasons why it is really important to report data breaches to the DP Officer without delay when they occur:
- The DP Office can give advice on steps to take to minimise the potential consequences for individuals and/or for the University, which needs to happen as soon as possible.
- If the breach is likely to result in a risk to the rights and freedoms of individuals then the University has to report this to the regulator (the Information Commissioner’s Office, ICO) within 72 hours, so the sooner the DP Office know the better.
- The DP Office keeps a record of all personal data breaches and ensures that any general learning points are shared with staff across the University to improve systems, processes and practice to reduce future risk.
4. How do we report them?
The best way to report a personal data breach is in writing, either by emailing the DP Office at dpofficer@chi.ac.uk, or logging it through the “Support me” self-service portal on the intranet (https://supportme.chi.ac.uk/sw/selfservice/#/) under the “Data Breaches” category. Please include as much detail as possible so that we can assess the level of risk. You can also telephone Laura Keeley on ext. 6166 or Su Longden on ext. 6020. Please be reassured that our approach is supportive and solutions-focussed; we know that mistakes happen especially when we are working at speed and under pressure. We will work with you to mitigate the risks, whilst find helpful learning points or tips for safer working to minimise the chance of similar breaches occurring in the future.
And finally, please remember that all University staff are required to complete data protection training every two years to keep their knowledge up to date. In the event that we do have to report a breach to the regulator, one of the first questions they ask is whether the staff members involved have completed training within the last two years. You can access the training through Moodle or using this link: https://moodle.chi.ac.uk/course/view.php?id=80951.
If you have any questions please contact us on dpofficer@chi.ac.uk and we will be happy to help.