Skip to main content

Risks, sanctions and breaches

Learn about data breaches and how to report one.

Report any potential breaches immediately to the Data Protection Officer.

Personal data breach

A personal data breach means a breach of security leading to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

It is important to note that personal data breaches can occur through action; for example, forwarding a student’s personal data to a third party without a lawful basis but also through inaction, if a student is told their health data will be held for 5 years and no action is taken to enforce this retention period, then any access to that data could constitute a personal data breach.

Any potential personal data breach needs to be reported immediately to the Data Protection Officer as the Data Protection Act requires any high-risk breach to be notified to the Information Commissioner's Office within 72 hours of the breach being detected or notified. Failure to protect or contain the breach can lead to fines to the University of £7 million and upwards (based on 2023 figures).

Report a suspected or potential breach

Contact the Data Protection Officer immediately

On this page