What is a personal data breach?
A personal data breach is a security incident that may involve a data subject losing control of the information about him or her, or his or her rights being compromised. Example of detriment that may arise following a personal data breach are a loss of confidentiality or breach of professional confidentiality, identity theft, fraud, spread of damaging rumours and financial loss.
A personal data breach has occurred when, for example, information about one or several data subjects has been destroyed or otherwise lost, or fallen into unauthorised hands. A breach may also have occurred when:
- an unauthorised party has gained access to the personal data, such as may occur when, for example, someone has sent personal data to recipients who are not intended to receive the information
- computers that contain personal data have been lost or stolen
- someone has modified personal data without permission, or
- the personal data are not available for the person who requires them, and this leads to negative consequences for the data subjects.
Independently of whether the incident is the result of intention or accident, it is considered that a personal data breach has occurred.
Notification of personal data breaches
The personal data regulations require that certain personal data breaches are to be reported to the supervisory authority. This must take place within 72 hours of the breach being discovered.
A person who discovers that a personal data breach has taken place must immediately notify the data protection officer. The data protection officer will assess whether it is necessary to report the incident to the supervisory authority, and will determine whether further measures must be taken to minimise the negative effects. The data protection officer is responsible for the further management of notified personal data breaches at LiU.
Personal data breaches that occur at a personal data processor are also to be reported to the data protection officer.
When you notify the data protection officer of a data protection breach, the following information must be given:
- Your contact information
- Name of personal data processors, subprocessors
- A statement of whether the personal data breach has led to the rights and freedoms of the data subject being compromised
- Information about when the breach occurred
- Information about when the breach was discovered
- Information about what happened during the breach
- Information about how the breach was discovered
- Your opinion of the reason(s) for the personal data breach
- The field of operations in which the personal data breach occurred
- The number of data subjects that have been affected by the breach
- The number of personal data records that have been affected by the breach
- The groups to which the data subjects belong (students, employees, research subjects or other)
- The nature of the personal data affected by the breach
- Information about whether the personal data was encrypted.
The notification must be immediately sent to firstname.lastname@example.org
Last updated: 2019-01-14