Reporting data protection incidents
How do I report a data protection incident?
The two main types of incident are:
- Where someone knows or suspects that an incident has occurred which actually or potentially involves inappropriate disclosure of personal data - contact the Information Governance Office immediately on 0161 275 7789 or by emailing firstname.lastname@example.org outside office hours.
- Where a data storage device such as a PC, laptop, tablet, USB stick, or smart phone has been lost or stolen regardless of the data it contains - immediately contact both the Information Governance Office on 0161 275 7789 or by emailing email@example.com outside office hours and the University Security Office on 0161 306 9966 (the number is on the back of all staff/student ID cards).
What information do I need to report?
If you are calling the Information Governance Office to report an incident then please have the following information to hand to provide to the member of IGO staff who will triage your incident. Alternatively, if you are emailing then please incorporate this information within your initial email.
- Faculty/School/Department involved in the breach
- The date and time the incident occurred
- The date and time the incident was discovered
- How the incident was discovered
- A brief summary of the incident
Further information may be required once the initial triage process has taken place and you will be advised accordingly by the IGO staff member dealing with your incident.
What is a data protection incident?
The University holds the personal data of thousands of staff, students, alumni, research participants and others who have an association with the University. If that data is lost, stolen, corrupted or released to unauthorised persons, the Information Governance Office must be informed immediately.
It’s safest to assume that all information about a living, identifiable individual is personal data and may include:
- Factual information about an individual such as date of birth, national insurance number, bank account, name and address.
- Sensitive information such as health, sexual life, criminal record, ethnicity, religion.
- Opinions expressed, for example in staff development reviews or email comments.
Other examples can be found in the Information Security Categories document.
If you are unsure whether or not to report an incident, consult the Information Governance Office.
Personal data breaches can cause real harm and distress to the individuals involved and can provide the opportunity for identity fraud, so it’s important that incidents are reported as quickly as possible. Once the Information Governance Office are notified, they will provide advice and guidance on the next steps to be taken.