A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Photo: Communications Office
In other words, a personal data breach could be a hacker attack through which all data in a system is stolen. It could also be as simple as someone losing their mobile phone, that staff at the University who do not have the authorisation to access personal data by mistake gain access to such data, or that an email containing personal data is sent to the wrong recipient.
Report a personal data breach
Report personal data breaches to firstname.lastname@example.org.
The report should answer the following questions for the case to be solved promptly:
- Did the breach take place in Sweden or in another country?
- Describe the breach – when did it occur, at what time was it discovered, how was it discovered, what happened?
- Why did the breach occur?
- Does the breach concern personal data that is being processed by a personal data processor?
- How many registered individuals have been affected?
- To what extent has registered personal data been affected?
- Who are the people registered? Students? Staff?
- What type of personal data has been affected by the breach?
- Was the personal data encrypted?
- What could the consequences of the breach be?
What happens after I have reported a personal data incident?
At Umeå University, there are established procedures for how personal data breaches are to be processed. Umeå University is responsible for documenting all suspected personal data breaches and report certain types of these to the Swedish Authority for Privacy Protection (IMY).
Reports to IMY must be made within 72 hours if the University establishing that a personal data breach has taken place.
The University Director, after consultation with the university’s data protection officer, is responsible for submitting reports of personal data breaches to IMY.