Data Breaches
A data breach occurs when the security of personal data or information that you are responsible for, has been compromised in some way, either accidentally or unlawfully.
For example:
- the personal data has been lost or stolen (e.g., a hard copy file, a laptop/mobile device, or storage device)
- the personal data has been destroyed (e.g., shredded or deleted)
- the personal data has been altered without permission (e.g., changes to database records or hard copy files)
- the personal data has been disclosed to the incorrect individual(s) (e.g., an email to the incorrect recipient)
- the personal data is unavailable due to a system failure or a security compromise (e.g., DDoS attack or hack)
If you suspect, or are aware that a data breach has occurred, you must report it to the College as soon as possible.
The statutory timeline for investigating, mitigating or resolving, and reporting a breach - which may include notifying the Information Commissioner's Office (ICO) - is 72 hours!
Reporting a Data Breach
Please follow the guidance below.
- College members should report all data breaches to the College Data Protection Lead (data.protection@girton.cam.ac.uk) as soon as the breach is discovered.
- All internal data breaches must also be reported using the data breach tool developed by the Office of Intercollegiate Services. Online Personal data incident reporting tool (PDIR)
The College Data Protection Lead will investigate the incident and provide guidance for initial remedial measures.
N.B. Details reported will be held confidentially and investigated only with the relevant personnel. If anyone is concerned about reporting a data breach for any reason, please speak directly to the College Data Protection Lead for advice.
If you are external to the College, and either suspect or have been made aware of a personal data breach, please contact the College Data Protection Lead (data.protection@girton.cam.ac.uk) as soon as possible.
Information to include with your report:
- Your name and contact details (in case we need to contact you for more details)
- A description of the data breach
- Date(s) and time(s) the data breach occurred
- How was the breach discovered?
- Evidence of the breach (e.g., a copy, scan or screenshot of the breached information)