SOAS will make every effort to avoid breaches of the data protection law, and in particular the loss of personal data. However, it is possible that mistakes will occasionally happen. What is important in these circumstances is that the School responds appropriately.
The Information Commissioner has the power to fine authorities up to €20 million for some types of data breaches, particularly where it demonstrates a failure on the part of the School to uphold the six data protection principles in the General Data Protection Regulation, and leads to the loss of data subjects’ rights under the law.
1. Any member of staff who becomes aware that they or another person has caused, or may have caused, an unintentional disclosure of personal data held by SOAS, or some other breach of data protection law by SOAS, is responsible for reporting it at the earliest possible point.
2. The breach should be reported via email to email@example.com with the subject line “Data breach report – urgent”. The information in bold below is necessary information. The information in plain text would help the School identify the scope of the breach, and any actions it needs to take to stop a similar incident happening in the future:
- the data or at the very least the categories of data affected i.e. contact details, personal information, education records, any types of special category data;
- how many individuals have been affected?;
- the volume of data that has been disclosed or lost in physical units, datasets, electronic files etc.
- the current situation – has the breach been contained and if not, how many people have access to the affected data?;
- what action has been taken to resolve the breach?;
- how did the breach happen?
- when did this breach occur/begin?
- has there been a similar occurrence previously?
- any other details that are thought relevant.
3. Broadly speaking there are two possible causes of data breaches. The first is human error, such as falling victim to sophisticated phishing attempts or accidentally disclosing data to unauthorised recipients; the second is deliberate and malicious attempts to infiltrate the School’s IT environment by exploiting vulnerabilities or individuals taking advantage of lax physical security to infiltrate restricted spaces such as offices to steal information.
If the breach occurred as a result of human error or as a result of unauthorised entry into a restricted area, the Information Compliance Manager (or the Head of Legal and Governance in their absence) will investigate the breach. They will talk to the person responsible for the data affected (the information owner, usually a Director, Head of Service Area or Head of Department) to ensure that they are aware of the breach and are taking necessary action.
If the breach occurred as a result of an attack on the School’s IT environment, including phishing and malware attacks aimed at users, the CIO will lead the response to the breach and will consult and seek assistance from colleagues in accordance with the SOAS's Cyber Security Plan.
4. The Information Compliance Manager will consider how serious the breach is, with due regard to current guidance from the Information Commissioner (ICO) and the Article 29 Working Party/European Data Protection Board. The Information Compliance Manager will consider the following risk factors:
- potential harm to data subjects (e.g. possibility of identity theft or other fraud/theft). The harm may be material (financial loss) or non-material (distress);
- volume of data disclosed (i.e. number of individual data subjects affected or the volume of data items);
- type and sensitivity of the data;
- type of breach
- how easy it is to identify data subjects
- special characteristics of the data subjects (are they children, vulnerable adults etc.?)
5. If the Information Compliance Manager assesses a breach and concludes that there is a risk to the rights and freedoms of individuals, the breach will be reported to the ICO within 72 hours of the School becoming aware of the breach. We will be expected to include the information outlined in bold in section 2 of this procedure.
6. If the Information Compliance Manager considers a breach to involve a high risk to the rights and freedoms of individuals we will inform all known individuals affected without undue delay, and to the best of our ability. We will inform the individuals whose data has been breached, we will let them know the likely consequences of the breach, and we’ll inform them of steps being taken to mitigate the impact of the breach. We will contact individuals by the most direct and proportionate method.
7. If the breach is reported to the ICO, or the data breach is likely to come to the attention of the media, the officer leading the response will inform the Communications team.
8. The Information Compliance Manager will make recommendations to the person responsible for the data concerned, typically the information owner, to ensure that the breach is not repeated. It will be the responsibility of that person to ensure that the recommendations are put in place and that they update the Information Compliance Manager on progress with implementation. The improvements to practice will be communicated to the ICO.
9. The Information Compliance Manager will ensure that any learning outcomes of the breach are circulated internally as appropriate, as well as providing an account to the ICO. In the case of the most serious breaches, this will include submitting a report to the Audit Committee.
Page last updated 17 January 2020