Data Protection Policy - Data Protection Breaches

Swansea University will make every effort to avoid breaches of the Data Protection Act, and in particular the loss of personal data. However, it is possible that mistakes will occur on occasion. What is important in these circumstances is that the University responds appropriately.

Data breaches could include, for example, loss or unintentional disclosure of personal data relating to a large number of students or staff - whether that be on portable media, via email or through the loss of a paper file or files. Even the loss of data relating to one individual would be of concern, especially if the data related to sensitive matters such as financial or disciplinary matters.

It is important that members of staff know what to do if they become aware of a data breach. The Information Commissioner has the power to fine authorities up to £500,000 for the most serious data breaches, and such fines are most likely if an initial breach is not handled appropriately. The following steps should be taken in the event of a data breach.

1. Any member of staff who becomes aware that they or another person has caused, or may have caused, an unintentional disclosure of personal data held by Swansea University is responsible for reporting it at the earliest possible point.

2. If a security breach is suspected or is known to have occurred staff should immediately contact IT support or, depending upon the severity or confidentiality,  the ISS Director, or Deputy Director of ISS who will initiate the appropriate action. Information provided to ISS should indicate:

  • the data affected;
  • how many individuals’ records have been disclosed/are affected;
  • the current situation – has the breach been contained and if not, how many people have access to the affected data;
  • what action has been taken to resolve the breach;
  • how the breach happened;
  • what relevant policies/training are in place;
  • when this breach occurred/began;
  • whether there have been similar occurrences previously;
  • any other details that are thought relevant.

3. ISS will consider how serious the breach is, with due regard to current guidance from the Information Commissioner and University procedures and take appropriate action. The factors they will consider will be:

  • potential harm to data subjects (eg possibility of identity theft or other fraud/theft);
  • volume of data disclosed (ie number of individual data subjects affected);
  • sensitivity of the data.