Data Protection

Reporting data protection incidents

What is a data protection incident?

The University holds the personal data of thousands of staff, students, alumni, research participants and others who have an association with the University. If that data is lost, stolen, corrupted or released to unauthorised persons, the Information Governance Office must be informed immediately.

It’s safest to assume that all information about a living, identifiable individual is personal data and may include:

  • Factual information about an individual such as date of birth, national insurance number, bank account, name and address.
  • Sensitive information such as health, sexual life, criminal record, ethnicity, religion.
  • Opinions expressed, for example in staff development reviews or email comments.

Other examples can be found in the Information Security Categories document.

How do I report a data protection incident?

The two main types of incident are:

  • Where someone knows or suspects that an incident has occurred which actually or potentially involves inappropriate disclosure of personal data - contact the Information Governance Office immediately on 0161 275 7789 or by emailing outside office hours.

  • Where a data storage device such as a PC, laptop, tablet, USB stick, or smart phone has been lost or stolen regardless of the data it contains - immediately contact both the Information Governance Office on 0161 275 7789 or by emailing outside office hours and the University Security Office on 0161 306 9966 (the number is on the back of all staff/student ID cards).

If you are unsure whether or not to report an incident, consult the Information Governance Office.

Further information and forms for reporting data protection incidents

Personal data breaches can cause real harm and distress to the individuals involved and can provide the opportunity for identity fraud, so it’s important that incidents are reported as quickly as possible. Once the Information Governance Office are notified, they will provide advice and guidance on the next steps to be taken to ensure that the rights of the individuals are protected and, where appropriate, inform the Information Commissioner’s Office.

Please complete the Information Security and Data Protection Incident form which can be accessed through this link:

Incident Report

There is also a simple summary of the procedure which can be found here:

Flowchart summarising the reporting procedure

Reporting Information Security and Data Protection Incidents - Standard Operating Procedure

The Information Commissioner’s Office, the independent body responsible for enforcing and overseeing compliance with legislation, has the power to require organisations to undertake specific actions and can impose significant fines on organisations which compromise people's privacy. It is important that we can demonstrate that we respond quickly to any incident or “near miss”.