Data Breaches

How do I report a Breach?

Please contact the Information Compliance Team on dpa@aru.ac.uk if you any of the following applies:

  • You become aware that a Data Breach has occurred
  • You suspect a Data Breach may have occurred or may soon occur
  • A supplier, student, member of the public or other person informs you of a Data Breach
  • There has been a ‘near-miss’ where a Data Breach almost occurred

Important:

  • Everyone has a responsibility to report Data Breaches
  • The law requires us to notify the ICO (the UK regulator) within 72 hours of becoming aware of a Breach
  • Failure to notify the ICO within 72 hours when we should have done is a Breach in itself putting ARU at risk of a fine or reputational damage

What is a Data Breach?

Data Breaches are incidents where there is a risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may…lead to physical, material or non-material damage. In other words, something has happened with ARU personal data where our lack of control over it has created the possibility of harm to an individual.

Examples could be:

  • Password sharing
  • An email is sent to the wrong recipient
  • Post has been sent to the wrong recipient
  • A device storing or providing access to ARU data is lost or stolen
  • Personal Data has been published in error
  • Data is disclosed verbally to the wrong person
  • ARU data has been hacked
  • A phishing attack has resulted in ARU data being obtained or made vulnerable
  • Malware has put ARU data at risk
  • A file containing personal data is lost
  • An unauthorised person has gained physical access to areas of our buildings putting personal data at risk
  • We have used personal data for a new purpose without gaining the consent or informing data subjects
  • We have retained personal data for longer than stated on our retention schedules
  • We have given a member of staff or an external person access to personal data that they are not entitled to have

What can I do to help reduce the impact of a Breach?

The single most important action to take to reduce the impact of a Breach is to report it to dpa@aru.ac.uk so we can begin to manage the situation

I have sent personal data to the wrong person

My Personal Device storing ARU data has been stolen

How does ARU manage Data Breaches?

Full details on reporting a data breach are available on The Heron. The following summarises the process.

Once an incident has been reported to the Information Compliance Team the Data Breach Management process commences.

  • From information provided by the reporter the incident is logged, provided a reference number and a case record opened to which all subsequent records related to the case are added.
  • The incident will be reviewed against the feasibility of undertaking the standard mitigation actions above to help reduce the risks of the Breach promptly.
  • After reviewing the initial report and following enquiries with key contacts identified by the Information Compliance Team a draft severity rating is applied using the following form based on the Enisa methodology. This is a methodology reference by the European Data Protection Board and is designed to provide a means of advising Data Controllers in establishing the severity of a Breach, not as the sole means of determining this. It informs a decision.

The investigation may involve co-operation with the IT Major Incident process, interviews with staff, students or employees of suppliers and obtaining documentary evidence of activity with potential recourse to the Procedure for Accessing ARU User Data without Consent.

Data Breach Risk Rating Outcome

  • The risk scoring will be revised by the Data Protection Officer as new information becomes available as the investigation progresses. Within a period of 72 hours from becoming aware of the Breach and where there is any doubt about whether the Breach is notifiable to the ICO in compliance with GDPR Article 33 the Data Protection Officer will present a draft Incident Report to the Head of Compliance & Risk for consultation on the appropriate course of action.

Data Breach Incident Report

  • The final decision on notification to the ICO and to Data Subjects rests with the Secretary & Clerk acting as Senior Information Risk Owner informed by the recommendations of the Data Protection Officer and the Head of Compliance & Risk.
  • If a decision to notify is made, the Data Protection Officer will draft an ICO Notification form for approval capturing the necessary Article 33 requirements:

Report a Data Breach

  • Breach closure activities will take place once the Breach is fully mitigated or actions are agreed to put mitigations in place which appropriately manage the risk of re-occurrence of the Breach and, if Notification has taken place, the ICO has closed their investigations. The Breach record will record actions taken to mitigate and prevent reoccurrence and make note of any actions taken (relating to external audiences, internal processes and those employees responsible for the Breach). A note will be made of the specific lessons-learned as a result of the process.
  • Analysis of Data Breaches will be presented to Data Champions at the quarterly Information Compliance Group (ICG) meetings for discussion, suggested actions and recommended changes to ARU policy. The Senior Information Risk Owner will be presented with an Annual Data Protection Compliance Report presenting data on the performance of the process and the nature and severity of Breaches, what is their cause, who has caused them, what data was involved and what actions were taken. Recommendations will be presented based on analysis of incidents and consultation with ICG and other stakeholders over changes to Policy and approach to communications and training.