A personal data breach occurs when personal information is used in a way that is contrary to the eight principles of the Data Protection Act 1998 (DPA).
Breaches occur when identifiable personal data are lost, stolen, unintentionally or maliciously disclosed or altered. Breaches can be small, relating to one person, or can affect many thousands of individuals. A breach might involve information held in digital format or in paper files. The cause might be a stolen laptop, a lost memory stick, a misdirected email or unauthorised access to a system containing personal data.
Although the most high-profile and personally damaging breaches often relate to the security of the data, the DPA can be breached in other ways. For example, keeping data longer than required, transferring data to countries outside the EEA, or gathering too much data might also breach the Act.
All University staff have a responsibility to handle UEA personal data in accordance with the DPA, and must declare any breaches of the Act that come to their attention.
The University is a data controller. As an organisation we are legally responsible for a large amount of personal data relating to students, staff and a range of other people. UEA data may be held in many formats, and stored both in and outside the University. If something goes wrong with the handling or security of that information, the University as a whole will very likely be held responsible.
Individuals can also commit offences under the DPA, for example where they knowingly obtain or use personal data without consent.
If you know or suspect that UEA personal data has been lost, stolen, misdirected, accessed inappropriately or unlawfully, or is in any way insecure, contact the University’s information compliance team immediately – even if you think that someone else might already have done so, and even if you've already told another member of staff. You can also contact the team by phone, on ext. 2431.
Please fill in the breach questionnaire as far as possible and attach it to your message. The information compliance team will then contact you as soon as possible to discuss next steps.
It’s critical you let us know about any breaches as soon as possible. Not only will this help us reduce the impact of any data breach on those affected, but it will also help the University comply with data protection laws. By 2018, the University will be legally required to report significant breaches to the UK’s supervisory body (the Information Commissioner’s Office) within 72 hours, so quick action is needed from all staff.
The Information Compliance team will work with you and other relevant staff to make sure UEA-controlled data are secured and that risks associated with the breach are minimised. We may need to notify affected individuals, and/or the Information Commissioner’s Office. We are impartial and work independently but will need your help to make sure the breach is fully investigated, and that appropriate steps are taken to avoid reoccurrence.
Breaches can occur all too easily, but there are steps all staff can take to avoid putting personal data at risk. Data Protection and Information Security training is very important, as is good records management and being aware of how to manage the data you hold. You can also use a Privacy Impact Assessment to identify risks in any new project or service.
SPC staff can also help departments by reviewing how personal data are used and shared, helping to reduce potentially risky practices. If you’d like to discuss any data protection issues, contact firstname.lastname@example.org or or by telephone on +44 (0)1603 59 2431.