SOAS University of London

Reporting Data Protection Breaches at SOAS

Introduction

SOAS will make every effort to avoid breaches of the data protection law, and in particular the loss of Personal Data. However, mistakes can and do happen. In these circumstances it is important that SOAS responds appropriately and promptly to any Data Breach. The Information Commissioner’s Office (ICO) has the power to fine authorities up to €20 million for some types of Data Breaches, particularly where they can demonstrate a failure on the part of the School to uphold the six data protection principles in data protection law, and leads to the loss of individuals’ data protection rights and freedoms.

Definitions

Data Breach: A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Data Protection Law: the General Data Protection Regulation (GDPR) (EU 2016/679) and the UK Data Protection Act (2018), as amended or updated from time to time, and successor legislation to the GDPR and Data Protection Act (2018).

Data Subject: the identified or identifiable living individual to whom personal data relates.

Information Owner: A member of staff with ultimate responsibility for data in any format. Typically, this will be a Director of Professional Services or Principal Investigator.

Personal Data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Internal reporting process

1. Any individual who becomes aware that they or another person has caused, or may have caused, a Data Breach while carrying out SOAS business, is responsible for reporting it at the earliest possible opportunity, and in any case within 24 hours, to the Information Owner and the Information Compliance Manager (ICM).

2. When reporting the breach to the ICM, send an email to dataprotection@soas.ac.uk with the subject line “Data Breach report – URGENT”.

 Information you must provide in your report:

  • A description of the data or the categories of data affected i.e. contact details, personal information, education records, any types of special category data;
    the number of individuals affected;
  • the volume of data that has been disclosed or lost in physical units, datasets, electronic files etc;
  • A brief explanation of the circumstances which lead to the breach
    the current situation – whether the breach been contained and if not, how many people have access to the affected;
  • what action (if any) has been taken to resolve the breach;

When compiling an explanation of how the breach occurred, please include details of:

  • how did the breach happen?
  • when did this breach occur/begin?
  • has there been a similar occurrence previously?
  • any other details that are thought relevant.

This will help the ICM to quickly identify the scope and seriousness of the breach, and to put in place controls to mitigate the impact of the current breach and prevent similar incidents occurring in the future

3. The ICM will record all the details of the breach in SOAS’s Data Breach Log. This record is kept updated whilst SOAS handles the Data Breach. The ICM will inform the Legal and Governance Team of the breach.

Investigation

4. Broadly speaking, there are two ways that a breach could occur:

Cyber breaches

If the Data Breach occurred as a result of an attack on the School’s IT environment, including phishing and malware attacks aimed at users, the Major Incident Team will lead the response to the breach in accordance with SOAS's IT Cyber Security Plan.

Non-Cyber breaches

If the Data Breach is not cyber related, and occurred as a result of human error or as a result of unauthorised entry into a restricted area, the ICM (or the Director of Business Change and IT Governance in their absence) will investigate the breach.

They will talk to the person who reported the breach and the Information Owner at the earliest opportunity to ensure that they are taking necessary action and that the Information Owner is fully aware of the situation.  All types of breach are equally serious.

The ICM and Information Owner will take any practicable steps to contain the breach as soon as it has been reported (e.g. asking an individual who received personal data in error to fully delete it, and to confirm the action in writing). If the breach is caused by a cyber incident, the Major Incident Team will be responsible for identifying and enacting any immediate measures to contain the breach.

Risk assessment process

5. Following the initial investigation into the causes and context of the breach, the ICM will carry out a risk assessment in accordance with SOAS’s Risk Assessment Model. The ICM will consider the following risk factors:

  • potential harm to the Data Subjects as a result of the Data Breach (e.g. possibility of identity theft or other fraud/theft). The harm may be material (financial loss) or non-material (distress);
  • volume of data disclosed (i.e. number of individual Data Subjects affected or the volume of Data Items);
  • type and sensitivity of the Data (i.e. does it include Special Category Data, relating to racial/ethnic information, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, details about sex life or sexual orientation;
  • type of breach (confidentiality, availability, integrity, or a combination of these)
    how easy it is to identify Data Subjects;
  • the special characteristics of the Data Subjects (i.e. are the Data Subjects vulnerable on account of: old age, childhood, disability, other safeguarding needs or social exclusion factors);
External reporting process

6. If the ICM’s risk assessment concludes that there is a risk to the rights and freedoms of individuals, the breach will be reported to the ICO by the ICM within 72 hours of the School becoming aware of the breach. The ICO will be provided with all of the information listed in bold in section 2 of this procedure, in addition to the outcome of the ICM’s risk assessment detailing the expected consequences for individuals of the breach.  The ICO will expect this to be robust.

7. If the ICM’s risk assessment concludes that the breach will result in a high risk to the rights and freedoms of individuals, SOAS will inform all known individuals affected without undue delay, and to the best of our ability.

The ICM and Head of Communications will be responsible for co-ordinating the process of informing affected individuals, working with HR/Student Advice and Wellbeing. The method used to contact individuals will depend on the number and type of individuals affected, their location and any known special characteristics of the individuals. SOAS will make sure contact is made by the most direct and appropriate method.

The information given to individuals will include: the name and contact details of SOAS’s Data Protection Officer (the ICM), the likely consequences of the breach, and the steps being taken by SOAS to mitigate the impact of the breach.

8. The context and circumstances of the breach may lead to affected individuals suffering damage or distress as a result. If so, the Director of Human Resources will be asked to make resources available to support the welfare of affected staff, and/or the Director of Student and Academic Experience will be asked to make resources available to support the welfare of affected students.

If the Data Breach is cyber related, the Major Incident Team will contact these Directors. If the breach is not cyber related, the ICM will contact these Directors.

9. If the breach is likely to result in material costs to the School as a result of measures required to control the breach, or to respond to ICO enforcement action, the ICM will contact the Director Legal and Governance to procure legal advice and liaise with insurers as necessary.

10. If the Data Breach is likely to come to the attention of the media, and/or the context and circumstances of the breach give rise to the possibility of enforcement action by the ICO, the ICM will ensure that the following senior officers are informed:

  • Director of External Engagement and Public Affairs
  • Registrar and Secretary
  • Director
Post-incident response

11. The ICM will make recommendations to the person responsible for the data concerned, typically the Information Owner, to ensure that the breach is not repeated. These recommendations may include but are not limited to: reviewing processes to add safeguards for the protection of personal data, implementing stronger data back-up and recovery protocols, or requiring staff to attend mandatory in-house data protection and/or information security training.

It will be the responsibility of the Information Owner to ensure that the recommendations are put in place and that they update the ICM on progress with implementation.

If the breach has been reported to the ICO, the recommended actions will be included in the ICM’s next Data Protection Report to Executive Board. Executive Board will need to be updated on the progress of recommended actions against the specified deadlines.

If the breach has been reported to the ICO, they will be kept updated on any improvements to practice.

12. The ICM will ensure that any learning outcomes of the breach are circulated internally as appropriate, as well as providing an account to the ICO.

In the case of the most serious breaches, this will include submitting a report to the Audit Committee.

This procedure was approved by the Data Governance Steering Group on 17 July 2020.