Data protection breach procedure

Guidance for members of University staff on reporting a potential data protection breach

Breach Evaluation Form (190.22 KB / RTF)


How to report a potential data protection breach

It is the responsibility of any member of staff who discovers a personal data incident to report it immediately by email to the Data Protection Officer at  The email subject line should state ‘breach’.

Staff members who report a data protection breach will be asked to complete Part A of the Data Protection Breach Response Evaluation Form within 24 hours of discovering the potential breach involving personal data.  When you return the form you should ensure that you copy your email to the head of your school or service area and to your local Data Protection Champion(s).

If you require IS User Services Division to delete an email sent in error, please initiate a Unidesk call.



Data Protection Champions

How to recognise a potential data protection breach

Data protection law defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” 

Incidents resulting in the temporary loss or unavailability of personal data may still constitute a personal data breach.

Personal data is information about a living, identifiable individual.


Data protection breach procedure

The University’s procedure for dealing with data protection breaches is set out in section 17 of the Data Protection Handbook.  

The Handbook also contains examples of data protection breaches.

All individuals who access, use or manage the University’s information are responsible for following these guidelines and for reporting any data protection incidents that come to their attention.

Data Protection Handbook