Report a data breach

When to report a data breach

Please report a suspected or actual data breach as soon as you possibly can to enable us to resolve the breach and put in place processes to avoid any re-future occurrence. We do understand that many are unintentional.

Further, if we need to report a more serious breach to the Information Commissioner’s Office (the UK’s data protection supervisory body) we must do so within 72 hours so it is important that if you suspect a breach has occurred that you let us know as soon as possible.

Types of breaches

The types of breaches that must be reported are those that:

• Compromise the personal data by enabling unauthorised access (e.g. leaving a laptop or mobile phone on public transport or misplacing important papers containing personal data), sending an email or an attachment to the wrong recipient or not storing data securely.
• Threaten the security of personal data such as hacking or attempted hacking of systems containing personal data, identify theft and attempts to obtain personal data by deception (e.g. bogus phone calls, social engineering or e-mails). It can even include an unauthorised individual trying to gain physical access to restricted areas where personal data is held.
• Breach confidentiality obligations such as disclosure of restricted or confidential information (especially passwords or other access control data) to unauthorised member of the University.

How to report a breach

If you think you have caused or discovered an instance where something inappropriate or unintended has happened to personal data, then the most important thing is to let us know by reporting the breach using the data breach form as soon as possible.

You can also email us at dataprotection@surrey.ac.uk or if you think a computer, IT service or user account has been compromised, please telephone the IT Service Desk immediately on +44 (0)1483 689898 or email IT at itservicedesk@surrey.ac.uk.