Governance and Compliance

Reporting Data Breaches

What is a personal data breach?

Under the General Data Protection Regulation (‘GDPR’), a personal data breach is a 'breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'.

Breaches can be small, relating to one person, or can affect many hundreds of individuals. A breach might involve information held in digital format or in paper files. The cause might be a stolen laptop, a lost memory stick, a misdirected email, lost paperwork or unauthorised access to a system containing personal data.

As well as a breach of security, data breaches can be caused in other ways, such as keeping data longer than required or gathering too much personal data.

What should you do if you discover a personal data breach?

Any personal data breach, however minor, must be reported immediately to the Data Protection Officer. 

Click the button below to report a breach.

Data Breach

In some cases, the University will have to report the beach to the Information Commissioner’s Office (‘ICO’) within 72 hours, so it is important that any breach is reported without delay.

Clicking above will take you to the breach reporting form which asks for the information that we need to establish if a data breach has occurred, what immediate steps we need to take and whether we need to report to the ICO.

If you don’t have all the information for the form, please just provide what you can – don’t delay in making the report whilst you gather information. Any delay can affect steps that we can take to reduce the impact of any data breach and may also mean we do not meet the legal timescales for reporting to the ICO.

You can also contact the Data Protection Officer, Alexandra Elliott, directly. You can email at dpo@sussex.ac.uk or telephone on 01273 678472.

What happens next?

On receipt of the breach notification form, the Data Protection Officer will work with you and other relevant colleagues to make sure that any personal data is secured and that risks associated with the breach are minimised.

The Data Protection Officer will establish the likelihood of the breach impacting on individual’s rights and freedoms under the GDPR and the severity of any potential consequences for the individual. If there is a risk, then the University must notify the ICO.

If we need to make a report to the ICO we will need to provide details about the nature of the personal data breach, as well as the categories and approximate numbers of individuals concerns and the personal data records involved. We will need to report the likely consequences of the breach and the measures we have taken, or propose to take, to deal with the breach and mitigate any possible adverse effects.

If the breach is likely to results in a high risk to the rights and freedoms of the individual(s), the University will also need to inform those concerned directly and without undue delay.

Who is responsible?

The University, as the data controller, has legal responsibility for any personal data breaches, so staff should not be concerned about reporting a matter and they will not be personally liable for any outcome as a result of an ICO investigation.

Under the Data Protection policy, staff have the following responsibilities:

  • They should ensure that personal data is dealt with in accordance with the University’s Data Protection policy and that there are adequate safeguards in place to protect personal data that they process (https://www.sussex.ac.uk/infosec/policies).
  • They should ensure that they report any personal data breaches they become aware of immediately via this process. The University can be fined for failing to notify the ICO that a breach has occurred.

However, it there is deliberate misconduct or behaviour amounting to a wilful breach of the Data Protection policy, or gross negligence on the part of an individual causing a breach of the policy, the matter may be considered as a discipline issue. This could include, for example, a staff member deliberately sharing personal data with a third party in breach of the policy, or repeatedly failing to comply with University policies and processes in undertaking research resulting in lost of personal data. These are just two examples and do not constitute an exhaustive list.

All staff can make mistakes and inadvertently cause a personal data breach. That in itself would not result in any action, but repeating the same mistakes and not taking steps to prevent reoccurrence, resulting in further data breaches, may lead to action.

If you have any queries about your responsibilities under the Data Protection policy and the GDPR, please contact the Data Protection Officer.