The risks in a personal data incident can consist of someone losing control over their own personal data or that their rights are restricted. A personal data incident has occurred if, for example, data concerning one or more registered persons has:
- been destroyed,
- otherwise lost, or
- gotten into the wrong hands.
A personal data incident is thus a security incident that has affected the confidentiality, accuracy or availability of the data.
An example of when a personal data breach has occurred is when:
- An unauthorized party has gained access to personal data, for example if someone has sent personal data to recipients who should not have the data.
- Computers containing personal data have been lost or stolen.
- Someone has altered personal data without permission.
- The personal data is not available to those who need it, and this leads to negative effects for the registered persons.
The University of Gothenburg is responsible for handling and assessing personal data incidents that occur within the university's operations, including within student projects (for example essays, projects or other assignments).
How to report a personal data incident
When you suspect that a personal data incident has occured at the University of Gothenburg, you must report it as soon as you become aware of it. You do this by sending an email to email@example.com with a copy to your supervisor or the teacher responsible for the course.
The Data Protection Group at the university will then begin documentation and assessment of the incident. When reporting, the information described below should be included.
It is very important that reporting is done quickly, as serious incidents must be reported to the Swedish Authority for Privacy Protection (IMY) within 72 hours of the incident being discovered. During the 72 hours, the Data Protection Group at the university and the Data Protection Officer must have time to make their assessment of the incident.