How to manage a security breach involving personal data
In case of a security breach involving personal data, you should immediately report it to dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se) and servicedesk [at] lu [dot] se (servicedesk[at]lu[dot]se).
It is crucial that the reporting occurs promptly so that the rights of those affected by the incident can be addressed, and if necessary, reporting is made to the Data Protection Authority (IMY) within the time frame stipulated by the data protection regulation (72 hours from the organization's awareness of the incident). If you are uncertain whether a breach has occurred, please contact the data protection officer for guidance.
Dataskyddsombud [at] lu [dot] se
What constitutes a security breach involving personal data?
A personal data breach is a breach of security that leads to
- accidental or unlawful destruction, loss or alteration of the personal data that is processed, or
- unauthorised disclosure of or unauthorised access to the personal data that is processed.
A few possible outcomes of personal data breaches can help us understand the concept. It is when the breach leads to
- physical, material or immaterial damage, for example loss of control over one’s own personal data,
- restriction to the rights of data subjects
- discrimination,
- identity theft or fraud,
- financial loss,
- unauthorised revocation of encryption or pseudonymisation,
- damaged reputation,
- loss of confidentiality regarding personal data covered by the obligation of professional secrecy, or
- other financial or social disadvantage for the person concerned (for example someone gains unauthorised access to personal data at a bank, which in turn can lead to financial loss for individuals)
At the bottom of the page are a number of examples of personal data breaches.
How can I determine if a security breach involving personal data has occurred and provide information about the extent of the breach?
Checklist:
- Has a security breach occurred, leading to
a) accidental or unlawful destruction, loss or alteration of the personal data that is processed, or
b) unauthorised disclosure of or unauthorised access to the personal data that is processed? - Did the breach occur at LU? Or at a personal data processor, and if so which one?
- How many data subjects have been affected? (A rough estimation will suffice)
- How much of the data subject’s data was affected? (A rough estimation will suffice)
- Which types of data subjects were affected, e.g. staff, students?
- What type of personal data was affected by the breach?
- What are the potential consequences of the breach?
- How serious is the breach with regard to the integrity of the data subjects? (A rough estimation will suffice)
Breaches must be reported immediately to dataskyddsombud [at] lu [dot] se and to servicedesk [at] lu [dot] se, regardless of whether it affects one or more data subjects, the type of personal data or amount of data concerned.
Examples of personal data security breaches within higher education and other sectors:
1. A personal data controller saves a backup copy of an archive containing personal data on a USB memory stick. The USB stick is then stolen during a burglary.
2. A personal data controller runs an online service. As a result of a cyberattack on that service, individuals’ personal data is filtered out.
3. Personal data from a large number of students is sent by mistake to the wrong mailing list with over 1 000 recipients.
4. An email for direct marketing purposes is sent to recipients in the field "To:" or "Cc:", which makes it possible for all recipients to see the other recipients’ email addresses.
5. A power outage for a few minutes at a personal data controller’s call centre results in clients not being able to call the personal data controller and gain access to their data.
6. A personal data controller is subject to an attack using ransomware, which leads to all data becoming encrypted. There are no backups and the data cannot be restored. Upon closer inspection, it turns out that the sole purpose of the attack was to encrypt the information, and that there is no other malware in the system.
7. A person calls a bank’s call centre to report a personal data breach. The person has received another person’s monthly account statement.
8. A personal data controller runs an online marketplace. The marketplace is subject to a cyberattack and the attacker publishes the usernames, passwords and purchase history online.
9. A web host that acts as a personal data processor discovers an error in the code that controls user authorisation. The error results in all users being able to access all other users’ account information.
10. Patients’ hospital records are not available for 30 days due to a cyberattack.
Security measures for personal data
Matters concerning security measures for personal data shall be handled in accordance with a coherent framework for information security. Supported by such a framework, different types of information, for example personal data, are classified based on certain parameters. Sensitive personal data and personal data which warrants special protection receive a higher classification and thus have higher protection value than other personal data. Based on the classification and risk assessments et cetera different roles are responsible for ensuring that the right protection is in place. For example system owners are to communicate which IT systems can be used for different types of information.
Work in this area is underway with the aim of implementing a new and approved framework. The work is run by the university’s Chief Information Security Officer and is expected to take some time to complete.
Until the aforementioned framework has been approved, the Data Protection Officer provides guidance based on the security principles in the General Data Protection Regulation (GDPR).
Recommendations:
- Pseudonymise personal data used in research if the purpose of the processing can still be fulfilled.
- Ensure an appropriate level of security with regard to the sensitivity, amount etc. of the personal data. This applies, for example, to IT-related protection such as storage, encryption and access control. Some of these IT services are offered by local IT units, LDC or system owners.
- Consider encryption and encoding
- Consider logging and follow-up
- Make sure to back up your storage solution
For further support on issues concerning security measures for personal data, please contact our Chief Information Security Officer Ingegerd Wirehed. You may also send questions and matters to the function email address below, pending the approval and implementation of a new information security framework.
informationssakerhet [at] lu [dot] se (informationssakerhet[at]lu[dot]se)
Kontakt
Lund University has an external Data Protection Officer; Secure State Cyber AB and the contact person at Secure State Cyber AB is Sanja Hebib.
Do you have questions regarding data protection - please contact:
dataskyddsombud [at] lu [dot] se (dataskyddsombud[at]lu[dot]se)