Under the General Data Protection Regulation, a personal data breach is a 'breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'.
Breaches can be small, relating to one person, or can affect many thousands of individuals. A breach might involve information held in digital format or in paper files. The cause might be a stolen laptop, a lost memory stick, a misdirected email or unauthorised access to a system containing personal data.
Although this web page relates to breaches of security, it's worth noting the law can be breached in other ways. For example, keeping data longer than required, or gathering too much data might also be an infringement of the law.
All University staff have a responsibility to handle UEA personal data in accordance with the current UK law, and must declare any data breaches that come to their attention.
The University is a data controller. As an organisation we are legally responsible for a large amount of personal data relating to students, staff and a range of other people. UEA data may be held in many formats, and stored both in and outside the University. If something goes wrong with the handling or security of that information, the University as a whole will very likely be held responsible.
The fines that can be issued as a result of the data breach are very large, and organisations can also be fined for failing to notify the Information Commissioner that a breach has occurred.
Individuals can also commit offences under the law, for example where they knowingly obtain or use personal data without consent.
If you know or suspect that UEA personal data has been lost, stolen, misdirected, accessed inappropriately or unlawfully, or is in any way insecure, contact the University’s information compliance team immediately – even if you think that someone else might already have done so, and even if you've already told another member of staff. You can also contact the team by phone, on ext. 2431.
Please fill in the breach questionnaire as far as possible and attach it to your message. The information compliance team will then contact you as soon as possible to discuss next steps.
It’s critical you let us know about any breaches as soon as possible. Not only will this help us reduce the impact of any data breach on those affected, but it will also help the University comply with data protection laws. Under the new law, which came into effect on 25 May 2018, the University is legally required to report significant breaches to the UK’s supervisory body (the Information Commissioner’s Office) within 72 hours, so quick action is needed from all staff.
The Information Compliance team will work with you and other relevant staff to make sure UEA-controlled data are secured and that risks associated with the breach are minimised. We may need to notify affected individuals, and/or the Information Commissioner’s Office. We are impartial and work independently but will need your help to make sure the breach is fully investigated, and that appropriate steps are taken to avoid reoccurrence.
Breaches can occur all too easily, but there are steps all staff can take to avoid putting personal data at risk. Data Protection and Information Security training is very important, as is good records management and being aware of how to manage the data you hold.
Many data breaches are related to email. See our webpage on reducing the data breach risk when using email.
You can also use a Data Protection Impact Assessment to identify risks in any new project or service.
Information Compliance team staff can also help departments by reviewing how personal data are used and shared, helping to reduce potentially risky practices. If you’d like to discuss any data protection issues, contact firstname.lastname@example.org or or by telephone on +44 (0)1603 59 2431.