12. Breach reporting
A personal data breach occurs when (whether deliberate or accidental) there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In broad terms this means a security incident that has affected the confidentiality, integrity or availability of personal data.
A personal data breach includes, but is not limited to, any of the following:
- The accidental alteration or deletion of personal data
- The transfer of personal data to those who are not entitled to receive it.
- Unauthorised access to personal data
- Use of personal data for purposes for which it has not been collected and which go beyond those uses that the data subject could not have reasonably contemplated
- Theft of storage devices
If a member of staff becomes aware of a potential breach of personal data they should inform their line manager who will then ensure the suspected breach is reported to the Data Protection Officer using our dedicated form. If the DPO is not available, the SIRO should be made aware
The DPO will investigate the breach and take appropriate steps depending on the nature and quantity of data released. An investigation will be carried out into all data breaches
The ICO and other organisations (as appropriate) will be informed of all serious data breaches where significant harm to one or more individuals is likely or a large number of individuals are affected.