What is a personal data breach?
A personal data breach occurs when:
personal data is knowingly, unknowingly or unlawfully destructed, distorted, altered or disappears.
someone who does not have authorised access to personal data, may access it.
when personal data is disclosed in an unauthorised way.
The risks can entail someone losing control of his or her data or that the rights of an individual are violated. Some examples are discrimination, identity theft, financial loss, and violation of secrecy and confidentiality.
A personal data breach has occurred if, for example, data relating to one or more individuals has been subject to destruction, loss or has otherwise fallen into the wrong hands, regardless of whether this is done intentionally or accidentally.
A personal data breach can occur when a person may have got hold of or engaged in information to which that person has no authorised access, for example
when someone has laid the hands on a password that allows that person to log on to systems that process personal data,
when an e-mail including sensitive or extra protective personal data is sent to a wrong addressee,
when a paper including details about name and illness is left in the printer, or
when a computer is infected by malware making it possible for an unauthorised person to access personal data.
What should you do in case there is a personal data breach?
Personal data breaches must be notified when staff or processors (suppliers)
- know that an incident has occurred
- suspect that an incident has occurred
- realise that an incident will occur.
Every personal data breach must be notified as soon as possible after being discovered. This applies even if the incident has been rectified. Luleå University of Technology must notify certain kinds of incidents to the Swedish Data Protection Authority.
Staff/processors notify the incident to email@example.com by mail, and a central group then assesses the gravity of the incident. Thereafter, the incident is notified to the Swedish Data Protection Authority, where necessary, within 72 hours after the incident has been discovered.