Data Breaches

Summary of actions to be taken

Data breaches can lead to harm to individuals, reputational damage to City, and financial consequences, including City incurring a fine from the Information Commissioner’s Office (ICO) or becoming liable to compensate individuals for any damage suffered.

If you believe there has been a data security breach you must report it immediately via the Potential Data Breach form on Service Now, or phone the IT Service Desk on +44 (0)20 7040 8181 – every suspected or actual breach needs to be dealt with immediately.

  • Delays in data breaches could lead to an increase in impact. City is legally required to report to the ICO without delay and within 72 hours of becoming aware, with a reasonable degree of certainty, of security incidents involving a high risk to individuals (data subjects). City may face penalties if it does not. You should never contact the ICO directly.
  • The Information Compliance team and Information Security Manager will assess the incident and determine next steps that can be taken to mitigate the breach. The team will also advise on the potential need to report the breach to the ICO.
  • Following a breach, City will record steps taken to rectify the situation, mitigate its effects, and prevent further occurrences.
  • Lost or stolen devices: if your device is lost or stolen you must call the IT Service Desk on +44 (0)20 7040 8181.
  • If in doubt about whether an event could be a data breach, contact the Information Compliance Team at dataprotection@city.ac.uk immediately.

Context

‘Data’ includes any information, including:

  • Personal data: personal information relating to particular individuals, such as staff or students. In other words, any information about an identified, or identifiable, living individual. It can include their name, address, email address, date of birth or staff, bank or NI details, but also moving or still images of them, personal information contained in an audio-visual or audio recording, or an IP address associated with them.
  • Some personal data is ‘special category personal data’ and calls for particular treatment. This includes information about racial or ethnic, political opinions, religious or philosophical beliefs, trade union membership and genetic data, biometric data processed for the purpose of uniquely identifying a natural person, concerning health or data concerning a natural person’s sex life or sexual orientation.

What is a data breach?

  • Data breach is any event leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data transmitted, stored or otherwise processed.

Data breaches will normally fall into one of three categories:

  • Confidentiality breaches (disclosure of or unauthorised access to data)
  • Integrity breach (alteration of data); and
  • Availability (loss of access or destruction)

Examples include:

  • Inadvertent sending of emails or post containing personal data to a wrong address.
  • A member of staff inadvertently revealing personal information held by City in a telephone conversation with a third party.
  • Loss of, theft or misdirection of a hard copy document.
  • Loss or theft of a City phone, laptop or other device with data on it.
  • Unauthorised access to audience personal data by a City supplier.
  • A system failure that causes data to be corrupted or deleted.

What if a supplier or third party data processor commits a data breach?

If a third party or supplier is processing personal data on behalf of City (i.e. a data processor), they must report the breach to City without undue delay. Processors have a responsibility to keep data safe from loss or damage, and secure against unauthorised access or disclosure.

Data breach – next steps

Having received the online Potential Data Breach form, the Information Compliance team will:

  • Assess the breach and any remedial actions that have been taken (and may recommend further steps).
  • Record the details of the breach, its effects and the remedial actions taken.
  • Consider whether any third parties need to be notified, such as suppliers whose information may have been lost or disclosed, and whether the police should be informed.
  • In the case of a personal data breach, decide whether it should be notified to the ICO, and whether the individual data subject(s) should be informed.
  • Advise on maintaining records of the handling of the breach.
  • Advise on potential liability for regulatory fines (which are potentially very high under the GDPR) and/or compensation.

City is under a legal obligation to notify personal data breaches to the ICO within 72 hours of becoming aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

City’s DPO will contact the ICO – City employees should never contact the ICO directly. Information on the criteria used to determine whether the breach is reportable is outlined below.

Loss/theft of mobile phone or laptop

The following procedures applies to any device with City data on it.

If your device is lost or stolen you must call phone the IT Service Desk on +44 (0)20 7040 8181.

For all City-owned devices lost or stolen please also ensure you complete the Potential Data Breach form.

In order to protect the University’s interest, all data – or any subset thereof – may be deleted and or locked from use by the IT department, if the device appears to be lost or stolen.

Information Compliance reporting to the ICO

When deciding to report a personal data breach to the ICO, the main consideration is whether, and to what extent, the breach presents a risk to the rights and freedoms of individuals. This will involve an assessment of the nature, likelihood and severity of any such risks.

The Information Compliance team will give particular consideration to the following factors in making those assessments:

  1. Type of breach.
  2. Nature, sensitivity and volume of personal data.
  3. Whether, in the case of the loss, alteration or destruction of data, a back-up exists.
  4. Ease of identification of individuals.
  5. Severity of consequences for individuals.
  6. The number of affected individuals.

Examples of personal data breaches that the DPO may decide to report to the ICO:

  • A City manager leaves a return-to-work form on the train, which includes health records of an employee.
  • City suffers a cyber-attack and data is stolen.
  • SAP records for all staff exported to MS Excel, and inadvertently disclosed to a member of the public.

What will be reported to the ICO?

The notification must be made:

  • Without undue delay; and
  • Where feasible, not later than 72 hours after the data controller (i.e. City) became aware of the breach.

Where it is not made within 72 hours, City must explain the reasons for the delay.

The notification must include:

  • The nature of the personal data breached, including the categories and approximate number of individuals and the number of records;
  • The contact details for the DPO at City;
  • The likely consequences of the personal data breach; and
  • The measures taken or proposed to be taken by City to address the personal data breach, including measures to mitigate its adverse effects.

If required, City may provide an initial notification followed by updates to the Information Commissioner.

When will City notify the individuals impacted by the breach?

City will notify the individuals impacted by the breach, without undue delay, when it is likely to result in a high risk to the rights and freedoms of natural persons.

A “high risk” to the rights and freedoms exists where the breach may lead to physical, material or non-material damage to individuals. This includes identify theft or fraud, financial loss and damage or reputation. According to EU guidance, if the breach includes sensitive personal data (otherwise known as ‘Special Category Data’), the damage should be considered likely to occur.

City must tell the individual, using ‘clear and plain language’:

  • The nature of the personal data breached, including the categories and approximate number of individuals;
  • The contact details for the DPO at City;
  • The likely consequences of the personal data breach;
  • The measures taken or proposed to be taken by City to address the personal data breach, including measures to mitigate it adverse effects.

City is not required to notify the individual if:

  • Appropriate technical and organisational measures have been implemented (.e.g data is encrypted);
  • The controller has taken measures to ensure that the anticipated impact of the breach are no longer likely to materialise; or
  • It would be disproportionate effort.

Report a Data Breach