Personal Data Breach


Actual and suspected personal data breaches should be reported to the University's Data Protection Officer - Helen Johnstone 

Contact details: or during working hours 01905 855014

The University's obligations under data protection legislation

  • The University is responsible for ensuring appropriate and proportionate security for the personal data it holds.

  • This includes protecting against accidental or unlawful destruction, loss, alteration, disclosure of, or access to, personal data.

  • In the event of a potential data breach, the University has a responsibility to deal with the breach immediately it becomes aware of it, and to minimise the impact of the breach on individuals. The University is required to put measures in place to avoid a similar breach occurring

  • Under data protection legislation, most personal data breaches are required to be reported to the ICO within 72 hours of the University becoming aware of the breach. It is the responsibility of the Data Protection Officer to notify the ICO and affected data subjects, where necessary, of the personal data breach.

What might constitute a breach?

Examples of a data breach might be, but are not limited to, the following:

  • Loss or theft of data or equipment on which data is stored - Even if a lost or stolen device (laptop, tablet, mobile phone) is encrypted there may still be a personal data breach if the personal data held on it has not been backed up. This would be classed as an "availability breach" as the data is no longer available.
  •  Email sent to a group of recipients using 'to' or 'cc' fields rather than 'bcc' field - When sending an email to a large group of recipients, be aware that not all recipients may wish others to know they are on the mailing list. Send the email to yourself and put the mailing list in the 'bcc' field.
  •  Inappropriate access controls allowing unauthorised use - This relates to not locking your PC or device when not in use, and also to inappropriate access to our corporate systems or localised personal data storage, including manual record storage i.e. filing cabinets or rooms not being locked.
  • Equipment failure - Failure of a corporate system processing personal data. If a corporate system fails preventing individuals accessing their personal data for any length of time, this may be classed as an "availability breach".
  • Unauthorised disclosing - Personal data sent to the wrong postal or email address.
  • Human error - The majority of personal data breaches are human error. Take time to check what you are doing.
  • Unforeseen circumstances such as from a fire or flood  


  How do I know if it is a personal data breach? 

      Please see this flowchart to help you identify if a personal data breach has occurred. 

      Please also consult the Personal Data Breach Notification Procedure for advice on what you should do if you think a personal data breach has occurred.