Procedure for Breach of Data Security
It is important that action is taken as soon as possible following a data incident or breach to try to rectify the situation and mitigate any risks to data subjects. Tell your line manager, Governance Services or Information Services (as appropriate) - DON'T leave it...the sooner we know, the sooner we can do something about it!
Data Protection legislation governs the University's obligations with regard to personal data and these include a requirement to keep personal data secure. A breach of data security occurs where unauthorised or unintentional access to personal data is gained, whether this data is held in electronic or manual format. This procedure gives guidance on what to do in the event of such a breach occurring.
Data Protection Incident / Breach reporting form (internal)
Immediate actions for an email breach/incident
If you send an email or email attachment in error the following are the steps you need to take to rectify it:
1) Re-open the email you've sent, click on 'Actions' on the toolbar at the top of the email, then select 'Recall this email'. Ensure the 'Delete unread copies of this email' (first option) and 'Tell me if recall succeeds or fails for each recipient' options are selected.
2) Copy the email from your sent items and paste it into a new email as an attachment and send this email to ISServiceDesk@napier.ac.uk, with a copy to firstname.lastname@example.org, explaining what's happened and asking for the message to be deleted from the servers. The email should be titled "Data incident". It is important that a copy of the original email is provided as an attachment, not forwarded, as the attachment will contain metadata which will assist IS in finding it and removing it. Deleting emails from the servers only deals with internal email, NOT external email (see step 3).
3) Contact Governance Services to find out if you need to contact anyone e.g. data subjects, and get the appropriate template wording to do this. If you need to contact an external who has received an email in error to ask them to delete it please DO NOT forward the original email sent in error and ask the to delete it. Contact Governance Services for advice and template wording.
4) Complete the Data Protection Incident / Breach reporting _form and send this to: email@example.com
Page last updated 10 June 2019