Personal data breaches: prevent, report, protect

All colleagues are being reminded of the importance of protecting personal data during the COVID-19 pandemic. The changes brought about by the pandemic create additional risks to our people and the University. We can all take simple steps to prevent data breaches, we must report them immediately in order to protect individuals’ data and the University’s reputation. 


There are a number of simple steps we can all take to avoid data breaches, such as:

  • Avoiding sending an email containing personal data to the wrong person by  turning off the ‘auto-complete’ function in Outlook
  • Being careful not to attach the wrong file to an email and removing attachments or previous messages in the conversation before forwarding them

More examples of common breaches, and tips for avoiding them, can be found on the Personal data breaches: prevent, report, protect webpage.

In addition, colleagues should complete the online data privacy and information security awareness training course to learn more about personal data and information security. All University employees must complete the training once every 12 months. The course is free (there is no charge to you or your department) and it takes approximately 30 – 40 minutes to complete.


It is vital that you immediately report potential personal data breaches. We only have 72 hours from the point of discovery to report certain high risk breaches to the UK regulator, the Information Commissioner’s Office – that is 72 hours in total, not working hours. Once an incident has been reported to the Information Compliance Team, they will help decide if it is in fact a breach, contain it if it isn’t already contained, and report it to the ICO, if necessary. The Information Compliance Team is here to support you, not blame you or point the finger at anyone.

Visit the staff guidance on personal data breaches webpages for more information. In short, not reporting an incident is much more serious than reporting one. It is also important to report phishing incidents to the Information Security Team.


Personal data breaches can cause significant harm to individuals from mild embarrassment to, in the most extreme cases, fear of physical harm.

We all have a duty to protect one another. It is not only individuals who are at risk from improper processing of personal data, the University could also be significantly impacted. Personal data breaches can cause reputational and financial damage. The financial penalties that can be imposed on organisations who fail to protect personal data can run into the tens of millions of pounds and ultimately the ICO has the ability to stop the University from processing personal data altogether.

For more detailed information on this topic including more examples of common breaches visit the Compliance webpage Personal data breaches: prevent, report, protect.