"A breach of security leading to the accidental or unlawful destruction, alteration, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed" The GDPR's Definition of a Data Breach
Qsis contains personal student information deemed sensitive under the Data Protection Act 2018. This includes information relating to ethnicity, religion and sexual orientation. Misuse of these types of data could lead to significant risks to an individual's fundamental rights and freedoms.
Each member of staff whose work involves processing of Qsis personal data, whether in electronic or paper format, must take personal responsibility for its secure storage. Unauthorised disclosure of personal data may be considered a disciplinary matter.
Qsis account credentials are unique to each user and are considered confidential, sensitive information and must not be shared. These credentials should never be embedded in any scripts or programs, including web browser password storage programs.
Hardcopies of personal data should not be retained beyond the period for which it is explicitly required (see relevant University Department's Retention Policies).
Staff acting on behalf of the University must not take Qsis data off campus without approval from the information owner. A risk assesment and resultant risk management strategies should be implemented prior to removal. Please contact Qsis Governance for advice on sharing Qsis data to third parties.
EXAMPLES OF COMMON BREACHES
- Data sent by email to incorrect recipient
- Attaching confidential documents to an email by mistake
- Forwarding email trails which disclose confidential information
- Loss of unencrypted device
- Loss or theft of paperwork (through insecure disposal)
- Insecure web-pages (including hacking)
- Verbal disclosure
- Failure to redact data
This list is not exhaustive.
WHAT BREACHES NEED TO BE REPORTED?
The Information Commissioner's Office (ICO) requires that ‘serious breaches’ be reported within 72 hours of the breach. If you become aware that Qsis personal data may have been breached, immediately report this to your line manager. If the breach is deemed notifiable, this will then be escalated to the University's Information Compliance Unit by the appropriate management representative in your area. The Information Compliance Unit will then request details of the breach and will be responsible for notifying the ICO if appropriate.
The Information Compliance Unit have developed a Breach Notification Protocol; this includes a Breach Notification Template and Data Breach Report Form, which must be completed by the person(s) who caused the breach and returned to email@example.com.
The maximum monetary penalty for a serious breach is €20,000,000 or 4% of annual turnover, whichever is higher. The ICO may also enforce restrictions on offending organisations, such as prohibiting the transfer of data internationally. Our compliance with the legislation is therefore vital.