Reporting a data breach

Off

Data breaches can occur through human error or malicious intent. As technology trends change and the creation of data and information grows, there are an increasing number of ways by which data can be breached.

All data breaches should be reported to the Data Protection team as soon as an individual becomes aware. This should be done by completing the Incident Reporting Form, which should be emailed to dataprotection@sheffield.ac.uk. Further details on this are available below.

1. Definition

A data breach is considered to be “any loss of, or unauthorised access to, University data”.

Examples of data breaches that are to be reported to the Data Protection team may include:

  • Unauthorised access to confidential or highly confidential University data
  • Instances of human error (emails being sent to the wrong person)
  • Instances of ‘blagging’ offences where information is obtained by deceit

Incidences such as:

  • Loss or theft of data or equipment on which data is stored
  • Equipment failure
  • Unforeseen circumstances such as a fire or flood
  • Hacking attack

are information security concerns, and should be reported to the Information Security team, as per their procedure.

For the purposes of this guidance, data breaches include both confirmed and suspected incidents that involve personal data. Personal data is defined as any data that can identify an individual.

2. Responsibilities

2.1 Staff: All staff are responsible for reporting actual, suspected, threatened or potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.

2.2 Heads of Department: Heads of Departments are responsible for ensuring that staff in their area act in compliance with this policy and assist with investigations as required.

3. Process

Confirmed or suspected data security breaches should be reported promptly to the Data Protection team, via dataprotection@sheffield.ac.uk.

The Incident Reporting Form should be completed as part of the reporting process. The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved (guidance on which is available below). 

Once a data breach has been reported an initial assessment will be made to establish the severity of the breach.

All data security breaches will be centrally logged by the Data Protection team to ensure appropriate oversight in the types and frequency of confirmed incidents for management and reporting purposes.

If necessary (if there is the likelihood of the risk of people’s rights and freedoms as a result of the breach of personal data), the Data Protection Officer  is required to report the data breach to the Information Commissioner’s Office (ICO). This must be done without undue delay, but not later than 72 hours after the University has become aware of the breach. It is therefore crucial that possible or confirmed data breaches are reported at the earliest possibility.

4. Data classification

Data breaches will vary in impact and risk depending on the content and the quantity of the data involved, therefore it is important that the University is able to quickly identify the classification of the data and respond to all reported incidents in a timely and thorough manner.

4.1 Public Data: Information intended for public use, or information which can be made public without any negative impact for the University.

4.2 Internal Data: Information regarding the day-to-day business and academic operations of the University. Primarily for staff and student use, though some information may be useful to third parties who work with the University.

4.3 Restricted Data: Information of a more sensitive nature for the business and academic operations of the University, representing the basic intellectual capital and knowledge. Access should be limited to only those people that need to know as part of their role within the University.

4.4 Highly Restricted Data: Information that, if released, will cause significant damage to the University's business activities or reputation, or would lead to breach of the Data Protection Act. Access to this information should be highly restricted.

Further information regarding data breaches can be found at Annex 4 of the Data Protection Policy.