Skip to navigation | Skip to main content | Skip to footer
Search the University of Manchester siteSearch Menu StaffNet
Search type

GDPR: Reporting data breaches

21 Mar 2018

Everyone has a responsibility to report data protection incidents

Data protection

Did you know it’s your responsibility as an employee of the University to report all data breaches as soon as you become aware of one?

Under the new General Data Protection Regulation (GDPR) we are obliged to report data breaches within 72 hours of becoming aware. The clock starts from the moment we know something has occurred. For example, this could be someone telling their line manager about an email containing sensitive person identifying information (PII) sent to an incorrect recipient.

What is a data protection incident?

The University holds the personal data of thousands of staff, students, alumni, research participants and others who have an association with the University. If that data is lost, stolen, corrupted or released to unauthorised persons, the Information Governance Office must be informed immediately.

It could be:

  • lost or stolen devices containing personal data, such as USB devices, laptops, and smart phones
  • a successful phishing attempt via email
  • paper documents that have been lost or stolen from home, your car or on the train.

It’s safest to assume that all information about a living, identifiable individual is personal data and may include:

  • Factual information about an individual such as date of birth, national insurance number, bank account, name and address, and, within the University, the SPOT ID
  • Sensitive information such as health, sexual life, criminal record, ethnicity, religious belief.
  • Opinions expressed, for example in staff development reviews or email comments.
  • Other examples can be found in the Information Security Categories document.

What do I need to do?

As soon as you are aware of an incident involving PII you need to inform the Information Governance Office (IGO) as soon as possible by following the incident reporting procedure.  If you are unsure about whether you need to report please contact your Information Governance Guardian and/or the Information Governance Office on 0161 275 7789.

This is so they can assess whether it needs to be reported to the Information Commission Office on behalf of the University within the 72 hour deadline. If the University does not meet this deadline it could face a six figure fine.

Further information: