Under GDPR, a data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This definition extends to breaches which result from malicious conduct, lack of appropriate security controls, system or human failure, or error.
TU Dublin as a Data Controller is legally required to notify the Office of the Data Protection Commissioner where a personal data breach is likely to result in a risk to data subjects’ rights and freedoms.
In addition, Schools and Functional Areas are legally required to notify affected individuals (Data Subjects) where a Personal Data breach is likely to result in a high risk to their rights and freedoms. For further guidance on recognising and managing a data breach, please see the TU Dublin Data Breach Management Guidelines in Appendix S.
TU Dublin is required to notify the Data Protection Commissioner within 72 hours after having become aware of the Personal Data breach. Therefore, Schools and Functional Areas have to implement robust processes and procedures in place to identify and report suspected Personal Data breach incidents. These procedures should also cover errors and “near misses” for learning opportunities and in order to mitigate possible future risks.
Schools and Functional Areas also have to implement an internal reporting procedure. This should include documentation of any suspected Personal Data breach, comprising the facts relating to the breach, its effects and the remedial action taken. Failure to report a notifiable breach could result in enforcement action by the Data Protection Commissioner including the imposition of an administrative fine in addition to any fines imposed regarding the breach.