Reporting Data Breaches
Breaches can be small, relating to one person, or can affect many hundreds of individuals. The impact of a breach can be significant, for the individuals affected and the University.
Breaches can affect information held electronically or in paper files, and personal data can be lost or compromised in a number of ways. The cause might be an email sent to the wrong person, a lost or stolen device such as a laptop or memory stick, hard copy paperwork being lost or disposed of incorrectly, or unauthorised or incorrect access being given to systems.
What should you do if you discover a personal data breach?
Any personal data breach, however minor, must be reported immediately to the Data Protection Officer (DPO). This is so the matter can be assessed and we can take steps to limit the impact of a breach where possible. If you’re not sure if something is a breach, please still report it immediately.
Click HERE to report a breach or a suspected breach
Clicking the above will take you to the Breach Notification Form which asks for the information that we need to establish if a data breach has occurred, and to decide what immediate steps we need to take, including whether the breach should be reported to the Information Commissioner’s Office (‘ICO’).
If a breach is likely to have a significant impact on the individual(s), then it must be reported to the ICO within 72 hours of the University becoming aware of the breach. So it is important that all breaches are reported to the Data Protection Officer without delay.
What happens next?
On receipt of the breach notification form, the DPO, or a colleague from the Information Management team, will assess the matter and will work with you and other relevant colleagues to make sure that any personal data is secured and any impacts of the breach are minimised.
We understand that mistakes happen and the vast majority of breaches are accidental, but staff should not be concerned about reporting a breach to us.
Common personal data breaches and initial action
Emails account for over 90% of personal data breaches at the University; usually as a result of sending an email to the wrong person or including the wrong attachment on an email. Please read our Guidance on the Use of Email which sets out advice on how to reduce the risk of data breaches by email.
With quick action, though, we can sometimes turn a breach into a ‘near miss’ or mitigate the impact of any breach. Here are the key steps to take:
- First Step – Recall the email
- Second Step – Report the data breach
- Third Step – Action advice from the University’s Data Protection Officer on other steps to take
Step 1: Recalling an email
The first immediate step is to recall the email, and this is particularly important where an email has been sent to multiple recipients. Where the email has been sent internally to @sussex.ac.uk emails (staff and students), and if it has not been read, it will then be recalled / removed from the inbox(es) avoiding the breach.Please read our Guidance on the Use of Email which sets out how to recall and internal email succesfully.
The only circumstances where there is no need to recall the email are:
- All recipient(s) are external to the University, i.e. not @sussex.ac.uk emails, as the recall will not work; or
- You know that any recipient(s) have already read the email. For example, the email was sent to one incorrect recipient, who has got in touch with you to flag the error.
Step 2: Report the breach
As soon as you have tried to recall the email whether this was successful or not, you must report the breach to the University’s Data Protection Officer, Alexandra Elliott. Any actual or suspected personal data breach, even if the email was only sent to one incorrect person, must be reported as soon as you become aware of it.
The most appropriate way to report a breach is to use the University’s Data Breach Notification form. Alternatively, you can email dpo@sussex.ac.uk and include all the relevant information. Please also identify incorrect recipient(s) / attachment(s), and providing copies of the email(s) in question and any Recall Report if relevant.
Step 3: DPO advice and other actions
The University’s Data Protection Officer will assess the matter and decide on what further actions, if necessary, are required. This could include the DPO making a request to ITS to access the relevant internal inbox(es) to permanently delete the email. This may be appropriate for breaches involving sensitive data or with multiple incorrect recipients.
However, where the incorrect recipient has already flagged the breach to you, i.e. they are aware of / have read the email, please ask them to permanently delete the email. Send a new email to each recipient, rather than replying on the chain, and ask the incorrect recipients to delete those emails from their inbox, sent box, and deleted folder. You should also ask them to confirm to you that they have permanently deleted the emails.
The DPO might advise on any other steps as well as whether the breach needs to be notified to the Information Commissioner’s Office or any affected data subjects.
It is important report all data breaches because it helps us to understand any existing risks, gives us the opportunity to make recommendations to reduce risks, and it is a learning opportunity for you and your team to avoid further breaches.
If you have any queries about the above, or steps to take, please just contact the Data Protection Officer.
Last updated 7 April 2025