Report a potential incident immediately
Imagine you’ve accidentally sent a CV to the wrong email address or left your laptop on the train; a momentary lapse of concentration can result in a data breach or security incident. By responding quickly, we can limit the damage and consequences for privacy: both your own and the university’s. You should therefore report an incident (or suspected incident) immediately to the ISSC Helpdesk. Be a hero: report it!
Business information and personal data are valuable and as an organisation we are required to treat them with great care. It is therefore important that all university staff know not only how to handle information securely but also what to do in case of an incident. This means you should learn to recognise incidents and the best way to respond to them.
What is a security incident or a data breach?
Security incident
A security incident is a breach of information security: perhaps a lost USB stick or a virus on your work laptop. As a result, you may no longer be able to access certain information, for example, while others can.
You should report a security incident to the ISSC Helpdesk as soon as you suspect or discover it. The Security Office will then be able to promptly take steps to remedy or prevent the incident. This will enable us to limit the (risk of) damage for the organisation. So be a hero: report it! Even if you’re not sure.
Data breach
In the case of a data breach, someone has access to personal data when this is not permitted or intended. The definition also includes the accidental destruction, loss, alteration or disclosure of personal data due to this kind of breach.
You should report a (potential) data breach immediately to the ISSC Helpdesk. The Privacy Office will then be able to take steps as soon as possible to remedy or prevent the data breach, and to limit the (risk of) damage for the data subjects and the organisation.
The university also has a legal obligation to notify a data breach within a specified period on the basis of the GDPR. Some data breaches must be notified to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; the supervisory authority) and the affected data subjects within 72 hours. So be a hero: report it! Even if you’re not sure.
Examples
You leave a CV in the printer
Before holding a job interview, you print the applicant’s CV. You leave the printout in the printer and a colleague finds the CV.
This is an example of a data breach. Your colleague was accidentally able to see the applicant’s personal data.
You report this data breach to the ISSC Helpdesk. The Privacy Office then takes appropriate steps, such as destroying the CV by running it through the shredder. The data breach is recorded internally. Depending on the privacy risk for the applicant, it will also be notified to the Dutch Data Protection Authorityand/or to the applicant.
You leave your laptop on the train
You leave your work laptop on the train. The laptop is not found again.
This is an example of a security incident. If the laptop contains personal data, then it is also a data breach. The laptop is protected, so it’s unlikely that anyone else has access to the information or personal data. Nevertheless, you need to report this as soon as possible.
You report the incident to the ISSC Helpdesk. The Security Office and/or Privacy Office then takes appropriate steps, such as remote wiping of the laptop. We can then be sure that the information and possible personal data remain secure.
A student receives the wrong grade list
A student receives another student’s grade list instead of their own. The student reports this to Student & Educational Affairs (SOZ).
This is an example of a data breach. The student accidentally saw another student’s personal data. SOZ must report this to the ISSC Helpdesk as a data breach.
The Privacy Office can then take follow-up steps together with SOZ. For example, the student may be asked to return the list (if it was received on paper) or to delete the file and the email (if it was received electronically). This data breach is recorded internally. Depending on the privacy risk for the other student, it will also be notified to the Dutch Data Protection Authority and/or to the other student.
Dare to ask
If you have any questions about data breaches or security incidents, please send an email to the Privacy Office or Security Office via privacy@bb.leidenuniv.nl or security@bb.leidenuniv.nl.