Data breach guidance

A data breach includes but is not limited to the following incidents: 

  • loss or theft of data or equipment on which data is stored: includes processing machines such as PCs, handheld, mobile phones, portable media such as memory sticks and disks
  • inappropriate access controls in systems, both manual and electronic, allowing unauthorised use
  • unauthorised supply of information to internal and external parties
  • equipment failure
  • human error
  • unforeseen circumstances such as a fire or flood
  • hacking into our network systems
  • information obtained by deceit
  • loss of sensitive/personal/confidential paper records

Loss of data could be a breach of the Data Protection Act and our Information Security Policy. As such it may be subject to disciplinary action.

Data breach procedure

  1. Unauthorised access/loss of Sensitive/Personal/Confidential paper records or Unauthorised access/loss of Electronic records/equipment
  2. As soon as possible after you are aware of loss: report to x5555 or complete Report a data breach [PDF | 187KB] and email:
  3. Within 8 hours of notification: Data Protection Officer will review the report and notify SIRO and Chief Executive
  4. Within 48 hours of notification:
  • if Data Protection Officer feels the breach is severe, SIRO will recommend that the Data Protection Officer reports the breach to the ICO; or
  • if Data Protection Officer feels the breach is not severe SIRO will pass the report to the Corporate Governance Board

Related documents