SOAS will make every effort to avoid breaches of the Data Protection Act, and in particular the loss of personal data. However, it is possible that mistakes will occur on occasion. What is important in these circumstances is that the School responds appropriately.
Data breaches could include, for example, loss or unintentional disclosure of personal data relating to a large number of students or staff - whether that be on portable media, via email or through the loss of a paper file or files. Even the loss of data relating to one individual would be of concern, especially if the data related to sensitive matters such as financial or disciplinary matters.
It is important that members of staff know what to do if they become aware of a data breach. The Information Commissioner has the power to fine authorities up to £500,000 for the most serious data breaches, and such fines are most likely if an initial breach is not handled appropriately. The following steps should be taken in the event of a data breach.
1. Any member of staff who becomes aware that they or another person has caused, or may have caused, an unintentional disclosure of personal data held by SOAS, or some other breach of the Data Protection Act by SOAS, is responsible for reporting it at the earliest possible point.
2. The breach should be reported via email to firstname.lastname@example.org with the subject line “Data breach report – urgent”. The email should indicate:
- the data affected;
- how many individuals’ records have been disclosed/are affected;
- the current situation – has the breach been contained and if not, how many people have access to the affected data;
- what action has been taken to resolve the breach;
- how the breach happened;
- what relevant policies/training are in place;
- when this breach occurred/began;
- whether there have been similar occurrences previously;
- any other details that are thought relevant.
3. The Information Compliance Manager (or the Secretary in his absence) will investigate the breach. They will talk to the person responsible for the data affected to ensure that they are aware of the breach and are taking necessary action.
4. The Information Compliance Manager (or Secretary) will consider how serious the breach is, with due regard to current guidance from the Information Commissioner. The factors they will consider will be:
- potential harm to data subjects (eg possibility of identity theft or other fraud/theft);
- volume of data disclosed (ie number of individual data subjects affected);
- sensitivity of the data.
5. If the Information Compliance Manager or Secretary considers a breach to be serious enough, bearing in mind these factors, the Registrar will be informed and kept up to date with developments.
6. If the Information Compliance Manager or Secretary consider a breach to be serious enough, with regard to current guidance from the Information Commissioner’s Office, they will inform the Information Commissioner’s Office of the breach.
7. If the breach is reported to the Information Commissioner’s Office, or the data breach is likely to come to the attention of the media, the Information Compliance Manager or Secretary will inform the Communications team.
8. With regard to current Information Commissioner’s Office guidance, the Information Compliance Manager or Secretary will consider whether it is appropriate to contact the data subjects affected to inform them of the breach, and if so, how best to conduct this (eg letter, email, press release and/or web page).
9. The Information Compliance Manager or Secretary will make recommendations to the person responsible for the data concerned to ensure that the breach is not repeated. It will be the responsibility of that person to ensure that the recommendations are put in place and that they update the Information Compliance Manager on progress with implementation.
10. The Information Compliance Manager will ensure that any learning outcomes of the breach are circulated internally as appropriate. In the case of the most serious breaches, this will include submitting a report to the Audit Committee.