Data protection breach procedure

The UK GDPR creates a legal obligation to report certain data breaches to the Information Commissioner's Office within 72 hours of identification.

In order to comply with this requirement, all staff must notify the Information Governance Team of suspected or actual data breaches immediately on identification.

In the event a breach is suspected or identified outside of core working hours, the Information Governance Team must still be notified immediately.

Report a data breach

1. What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. [Article 4 UK GDPR]

A data breach may include:

theft or other loss of a personal or university owned laptop, tablet, USB drive, mobile phone or other device that stores university owned personal data;
alteration or deletion of personal data without permission;
data emailed to an incorrect recipient – where an email containing personal data is sent to the wrong email address.
data shared with the incorrect recipient - where a google drive folder or file has been shared with the wrong recipient(s).
excessive data sharing - where too much data is shared with the intended recipient(s)

2. On discovery of a breach, what do I need to do?

Notify the Information Governance Team immediately using the report a breach form above.

3. I am not a member of the University, how can I report a breach?

You can report data breaches by email to dataprotection@york.ac.uk. Please include 'breach' in your email subject line. When reporting by email, please provide us with as much information as possible about the incident.