skip to primary navigationskip to content

Personal Data Breaches

The ICO updates its guidance on General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) regularly. It also offers a range of resources and support that can be accessed here.

The GDPR has placed new requirements on the way organisations report certain personal data incidents (breaches) to the ICO. The most significant change is that all such breaches must be reported to the ICO within 72 hours of becoming aware of the breach. If this is not practicable, the organisations must report the incident as soon as possible and provide valid justification for missing the statutory deadline. The ICO has produced guidance relating to personal data breaches.

The Office of Intercollegiate Services (OIS) has produced a Personal Data Incident Report (PDIR) template to assist Colleges in completing their initial assessment of a potential incident as quickly as possible. This is to allow sufficient time for the OIS (as the DPO) to review the incident and notify the ICO (where needed) within the 72-hour timeline. Organisations are required to keep a record of all their personal data breaches, even those that do not need to be reported to the ICO. The DPIR forms act as the internal record for both the Colleges and their DPO.

To assist Colleges with completing the DPIR, the OIS has produced a guidance paper that the CDPLs are encouraged to read in order to support any College staff who may need to report an incident.