We speak of a data breach if personal data has been released (leaked), viewed, changed or deleted, knowingly or accidentally. Examples of data breaches are:
- Theft of a laptop with personal data used during work for EUR;
- Sending an email with personal data to the wrong colleague/person;
- Student grade lists are visible on the internet;
- A hacker gains access to personal data;
- Access folders you shouldn't have access to (for example, on Sharepoint or disk);
- A colleague accidentally receives someone else's payslip;
- Sending an email in which all email addresses are in the CC field, instead of the BCC field;
- Leave a printout with personal data at the copier or printer.
The consequences and risks of a data breach can be significant. Whether there are consequences and risks involved and how big these are depends, among other things, on which data has been leaked.
The following dangers can occur in the event of a data breach, among others:
- Identity Theft
Have you discovered a possible data breach? Report this immediately to the Service Desk via telephone number (010) 408 88 80, by email via firstname.lastname@example.org or by visiting the desk on the ground floor of the Sanders building (LB-029).
The Service Desk employees know how to deal with a possible data breach. They register the report discreetly and ensure that it reaches the right colleague. You will then be contacted to collect more information. This way we can determine whether there really is a data breach and whether it must be reported to the Dutch Data Protection Authority.
You have reported a possible data breach, what happens now?
A data breach involves access to or destruction, modification or release of personal data at an organization without this being the intention of this organization. The Privacy Officer will go through a questionnaire with you for this.
How long has the undesired situation taken place, what is the size of the group involved and what is the damage to those involved if someone who intends evil has access to the leaked data?
What steps should be taken to end the undesirable situation as quickly as possible? Is further research necessary to determine the impact?
In what way and with what information can those involved be immediately informed about the incident, so that they are informed and can take follow-up actions themselves that remove or reduce possible risks.
Assessment of whether the data breach must be reported to the Dutch Data Protection Authority (AP).
The data breach notification obligation means that organizations (both companies and governments) must immediately report to the Dutch Data Protection Authority (AP) as soon as they have a serious data breach. And sometimes they also have to report the data breach to the data subjects (the people whose personal data has been leaked).
What additional action is necessary and desirable for the employees involved in the possible data breach? Think of evaluation, formulating lessons learned and adapting the work process. Also consider a specific awareness meeting and/or training provided by the EUR privacy organisation. The case can be added as a learning point in the EUR awareness campaign and/or privacy training and added to the FAG list on MyEUR. Make agreements with employees involved in the possible data breach about a test moment to determine whether the modified working method is indeed effective.