What should I do if there is a data breach?
A personal data/security breach may arise from:
- a deliberate attack on your systems
- from the unauthorised use of personal data by a member of staff
- or from accidental loss or equipment failure.
The following actions should be taken when a breach occurs:
1. Breaches should be reported to the University’s Information Compliance Team.
2. Containment - Breaches can occur anytime 24/7. It may not always be possible to reach the Information Compliance Officer immediately. Damage limitation should take priority after a breach. This could involve:
- taking down a webpage
- informing unauthorised recipients of an email to delete it and not to share it
- informing IT Services if an account has been hacked
The Information Compliance Officer will help you with these further steps:
3. Assessing the risks – you should assess any risks associated with the breach, as these are likely to affect what you do once the breach has been contained. In particular, you should assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to happen.
4. Notification of breaches – informing people about an information security breach can be an important part of managing the incident, but it is not an end in itself. You should be clear about who needs to be notified and why. You should, for example, consider notifying the individuals concerned; the ICO; other regulatory bodies; other third parties such as the police and the banks; or the media.
5. Evaluation and response – it is important that you investigate the causes of the breach and also evaluate the effectiveness of your response to it. If necessary, you should then update your policies and procedures accordingly.
This advice is based on guidance provided by the Information Commissioner.
Payment Card Incidents
The following content is to assist you in the event of Card Payment Data Breach. Read through this document to become familiar with the process. If you have any queries please contact firstname.lastname@example.org