Procedure for Breach of Data Security
It is important that action is taken as soon as possible following a data incident or breach to try to rectify the situation and mitigate any risks to data subjects. Tell your line manager, Governance Services or Information Services (as appropriate) - DON'T leave it...the sooner we know, the sooner we can do something about it!
Data Protection legislation governs the University's obligations with regard to personal data and these include a requirement to keep personal data secure. A breach of data security occurs where unauthorised or unintentional access to personal data is gained, whether this data is held in electronic or manual format. This procedure gives guidance on what to do in the event of such a breach occurring.
Immediate actions for an email breach/incident
If you send an email or email attachment in error the following are the steps you need to take to rectify it:
- Don't Panic!
- Copy the email from your sent items (click on it and press the Ctrl + C keys) and paste it into a new email as an attachment (click into the body of the new email and press the Ctrl + V keys) and send this email to email@example.com, CC'ing ISServiceDesk@napier.ac.uk, explaining what's happened and asking for the message to be deleted from the servers.
The email should be titled "Data incident".
It is important that a copy of the original email is provided as an attachment, not forwarded, as the attachment will contain metadata which will assist IS in finding it and removing it.
Deleting emails from the servers only deals with internal email, NOT external email.
- Governance Services Data Protection team will assess the incident and decide on the course of action to be taken. Please use the appropriate template wording provided by Governance Services if you are required to contact any individuals concerned.
- Please DO NOT forward, reply or "reply all" to the original email sent in error!
- Complete the Data Protection Incident / Breach reporting form below and send this to: firstname.lastname@example.org.
Data Protection Incident / Breach reporting form (internal)
Procedure for a Breach of Personal Data Security
Download the Procedure for a Breach of Personal Data Security.
Page last updated 30 March 2022