Staff should understand the difference between an incident and a personal data breach:

An incident occurs where there is a risk of personal data being compromised. If handled quickly, an incident can often be contained before it becomes a breach.

A personal data breach occurs when there is a failure in security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples of a breach include:

  • The loss or theft of data in any format (e.g. papers taken from car, papers left on the train, papers left on the photocopier, post intercepted, unauthorised download).
  • Loss or theft of equipment used to store University information (e.g. laptop, smartphone, USB stick) N.B. all removable storage devices should be encrypted.
  • Compromised IT user account (e.g. spoofing, hacking, shared password).
  • Blagging where information is obtained by deception (a person claims to be someone else).
  • Accidental or unauthorised disclosure of University information (e.g. email of letter to wrong recipient or incorrect system permissions/filter failure).
  • Corruption or unauthorised modification of vital records (e.g. alteration of master records).
  • Computer systems or equipment compromise (e.g. virus, malware, denial of service attack).
  • Break-in at a location holding sensitive information or containing critical information processing equipment such as servers.


All incidents and breaches must be reported to and the University SIRO A Serious Information Governance Incident Procedure is also available. We can then assess, reduce and where possible prevent incidents.

You should remember that if you report an incident quickly, we can often contain it and stop any personal data from being compromised.

Should a breach occur which creates a risk to the rights of an individual, we have a duty to report this to the Information Commissioner's Office (‘ICO’) within 72 hours. We may also need to notify the individual whose data has been breached within the same time period. The SIRO in conjunction with the Vice Chancellor makes the decision on reporting breaches to the ICO.

Fines have increased to a maximum of 20m euros or 4% of global turnover (whichever is the higher).

Each school of the University has a Business Lead for GDPR compliance.

Data Protection Incident Reporting Form