Data Protection


Reporting data protection incidents

What is a data protection incident?

The University holds the personal data of thousands of staff, students, alumni, research participants and others who have an association with the University. If that data is lost, stolen, corrupted or released to unauthorised persons, the Records Management Office must be informed immediately.

It’s safest to assume that all information about a living, identifiable individual is personal data and may include:

  • Factual information about an individual such as date of birth, national insurance number, bank account, name and address.
  • Sensitive information such as health, sexual life, criminal record, ethnicity, religion.
  • Opinions expressed, for example in staff development reviews or email comments.

Other examples can be found in the Information Security Categories document.

How do I report a data protection incident?

The two main types of incident are:

  • Where someone knows or suspects that an incident has occurred which actually or potentially involves inappropriate disclosure of personal data - contact the Records Management Office immediately on 0161 275 8111 or by emailing infosec@listserv.manchester.ac.uk outside office hours.

  • Where a data storage device such as a PC, laptop, tablet, USB stick, or smart phone has been lost or stolen regardless of the data it contains - immediately contact both the Records Management Office on 0161 275 8111 or by emailing infosec@listserv.manchester.ac.uk outside office hours and the University Security Office on 0161 306 9966 (the number is on the back of all staff/student ID cards).

If you are unsure whether or not to report an incident, consult the Records Management Office.

Further information and forms for reporting data protection incidents

Personal data breaches can cause real harm and distress to the individuals involved and can provide the opportunity for identity fraud, so it’s important that incidents are reported as quickly as possible. Once the Records Management Office are notified, they will provide advice and guidance on the next steps to be taken to ensure that the rights of the individuals are protected and, where appropriate, inform the Information Commissioner’s Office.

Data Protection Incident Report form

Loss or Theft of Data Storage Device Report form

Flowchart summarising the reporting procedure

Reporting Data Protection Incidents - Standard Operating Procedure

The Information Commissioner’s Office, the independent body responsible for enforcing and overseeing compliance with legislation, has the power to require organisations to undertake specific actions and can impose significant fines on organisations which compromise people's privacy. It is important that we can demonstrate that we respond quickly to any incident or “near miss”.