arrow
Search icon

Data Breaches

The GDPR introduces mandatory breach notification - breaches must be reported to the Data Protection Commissioner (DPC) within 72 hours, unless the personal data affected was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned.

Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

All breaches or suspected breaches should therefore be reported to the University’s Data Protection Officer without delay for assessment.

What is a "data breach"?

The GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

For example, an unauthorised/accidental:

  • disclosure of, or access to, personal data.
  • alteration of personal data.
  • loss of access to, or destruction of, personal data.

Data breaches may occur in a variety of contexts, such as:

  • Loss/theft of personal data (e.g. on a memory stick, laptop or paper records)
  • Inappropriate access controls (e.g. using unsecure passwords)
  • Equipment failure
  • personal data being left unlocked in accessible areas (e.g. leaving IT equipment unattended when logged into a user account, leaving documents on top of shared photocopiers)
  • Disclosing personal data to unauthorised individuals (internal or external to the University)
  • Human error (e.g. emails/post being sent to the wrong recipient)
  • Hacking, viruses or other security attacks on IT equipment systems or networks
  • Breaches of physical security (e.g. forcing of doors/windows/filing cabinets)

If a data breach has occurred, please take the following steps WITHOUT DELAY:

  • Inform your Head of Department/Division
  • Head of Department/Division must inform the Data Protection Officer (dataprotection@ul.ie)

We are updating our current security breach procedure in line with the GDPR requirements and this will be published on www.ul.ie/dataprotection shortly.

President's Report to Governing Authorit...

November Report now available*

Governing Authority Reports

January Report now available*