Appendix 12: Data Protection Breach Regulations

1. Purpose and Scope
  1. These Regulations set out the procedure which must be followed by all members and employees of the College staff if a data protection breach takes place.
  2. These Regulations apply to all personal and special category data held by the College.
  3. These Regulations apply to all members of the College and all employees or other staff of the College. Any reference to employees or staff shall include permanent, temporary, contract, and other support staff as applicable; and ‘members’ shall (for the avoidance of doubt) include both Fellows and Junior Members.
  4. The following definitions shall apply to these Regulations:
    1. ‘DPO’ means the College’s Data Protection Officer.
    2. ‘GDPR’ means the General Data Protection Regulation (EU 2016/679).
    3. MUST’, the verb ‘REQUIRE’ in any of its forms, and ‘SHALL’ mean that the item is an absolute requirement.
    4. MUST NOT’ and ‘SHALL NOT’ mean that the item is absolutely prohibited.
    5. SHOULD’ and ‘RECOMMENDED’ mean that there may exist valid reasons in particular circumstances not to comply with a particular item, but the full implications must be understood and carefully weighed before choosing a different course.
    6. SHOULD NOT’ and ‘NOT RECOMMENDED’ mean that there may exist valid reasons in particular circumstances when particular behaviour is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behaviour described with this label.
2. Types of Breach

Examples of breaches include (but are not limited to):

  • Data Breach / Loss/ Theft: physical or digital;
  • Loss or theft of data or equipment on which data is stored
  • Inappropriate access controls allowing unauthorised use
  • Equipment failure
  • Human error
  • Unforeseen circumstances such as fire or flood
  • Hacking
  • Offences where information is obtained by deception
3. Reporting a Breach (or Suspected Breach)
  1. Any member of the College who discovers, suspects or receives a report of a breach (or suspected breach) must inform the DPO (or if the DPO is not available the Finance Bursar or the Domestic Bursar) and the Head of IT immediately.
  2. Any member of the College’s staff who discovers, suspects or receives a report of a breach (or suspected breach) must inform their Head of Department and the Head of IT immediately.
  3. Where under the GDPR the College is under a duty to report a data breach to the Information Commissioner’s Office (“ICO”), this must be done within 72 hours of becoming aware of the breach.

    The following ICO guidance will help the DPO decide whether and how to notify:
    • When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it is likely that there will be a risk then you must notify the ICO; if it is unlikely then you do not have to report it. However, if you decide you do not need to report the breach, you need to be able to justify this decision, so you should document it.
    • In assessing risk to rights and freedoms, it is important to focus on the potential negative consequences for individuals. Recital 85 of the GDPR explains that:

      “A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
    • This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. You need to assess this case by case, looking at all relevant factors.
    • If it is decided to report the incident to the ICO, the following link has details on how to do so: https://ico.org.uk/for-organisations/report-a-breach/
4. Immediate Containment/Recovery
  1. In a case falling within regulation 3.1:
    1. the Head of IT must ascertain whether the breach is still occurring. If so, steps must be taken immediately to minimise the effect of the breach (e.g. by shutting down a system or alerting relevant staff);
    2. the DPO and the Head of IT must ensure that appropriate steps are taken quickly to recover any losses and limit the damage.
  2. In a case falling with regulation 3.2:
    1. The Head of Department must ascertain whether the breach is still occurring. If so, steps must be taken immediately to minimise the effect of the breach (e.g. by shutting down a system or alerting relevant staff). It is recommended to ask for assistance from IT staff.
    2. The Head of Department must inform the DPO (or if the DPO is not available the Finance Bursar or the Domestic Bursar) and the College Officer with supervisory responsibility for the staff concerned as soon as possible.
    3. The Head of Department working with the DPO and the Head of IT must ensure that appropriate steps are taken quickly to recover any losses and limit the damage.
  3. Steps to recover losses and limit damage might include:
    1. Attempting to recover lost equipment.
    2. Contacting any affected individuals or departments so that they are prepared for any potentially inappropriate enquiries ‘phishing’ for further information on those concerned.
    3. Contacting the relevant people so that they can be prepared to handle any press or other enquiries that may result.
    4. The use of back-ups to restore lost/damaged/stolen data.
    5. If bank details have been lost/stolen, contacting banks directly for advice on preventing fraudulent use.
  4. If the data breach includes any entry codes or passwords, these codes must be changed immediately and all relevant employees and members of the College informed.
  5. The DPO must consider whether the police need to be informed. Informing the police would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future given the nature of information lost.
5. Investigation
  1. The DPO shall ensure that the College investigates the breach and ascertains whose data was involved in the breach, the potential effect on the data subject and what further steps need to be taken to remedy the situation.
  2. The investigation should involve the Head of IT and the relevant Head of Department and/or supervising College Officer.
  3. The investigation shall consider: the type of data concerned, its sensitivity, what protections are in place (e.g. encryption), what has happened to the data, whether the data could be put to any illegal or inappropriate use, how many people are affected, what type of people have been affected (the public, suppliers etc.) and whether there are wider consequences to the breach.
  4. The investigation shall be completed urgently and wherever possible within 24 hours of the breach being discovered or reported. A further review of the causes of the breach and recommendations for future improvements must be done once the matter has been resolved.
6. Informing and Recording
  1. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the DPO shall ensure that the College informs those individuals without undue delay.
  2. The DPO shall, after seeking legal advice, decide which agencies and which other persons should be notified of the breach. Some people/agencies may need to be notified as part of the initial containment, but the decision will normally be made once an investigation has taken place.
  3. The DPO shall liaise with the Estates Bursar & Land Agent about informing the College’s insurers.
  4. The DPO shall ensure that the College keeps a record of all personal data breaches, regardless of whether the College was required to notify data subjects.
7. Evaluation
  1. In the aftermath of the breach, the DPO shall fully review both the causes of the breach and the effectiveness of the response to it and prepare a written report for the next meeting of the Finance Committee.
  2. If systemic or ongoing problems are identified, an action plan must be drawn up and approved by the Finance Committee to correct these.
  3. If the breach warrants a disciplinary investigation this shall be conducted by the appropriate College Officer or Head of Department in accordance with the College’s Bylaws and other relevant regulations.
8. Implementation
  1. All Heads of Department must ensure that their staff are aware of these Regulations and their requirements. This should be undertaken as part of induction and supervision.
  2. The DPO in co-operation with the Finance Bursar, the Sub-Warden, and the Senior Tutor must ensure that the Fellows and Junior Members of the College are aware of these Regulations and their requirements.
9. Review and Amendment

These Regulations shall be reviewed and updated annually by the Finance Bursar and the DPO and approved by the Governing Body after review by the Finance Committee and the Statutes and Bylaws Committee.

Useful Contacts

Data Protection Officer:
dpo@merton.ox.ac.uk
01865 276310 (College Lodge)

IT Department:
it-support@merton.ox.ac.uk
01865 276310 (College Lodge)

Head of IT:
simon.mortimore@merton.ox.ac.uk
01865 276566