Personal data incidents

A personal data incident is a security incident that can involve risks for people's rights and freedoms. Everyone at the University of Gothenburg has an obligation to report incidents that they discover.

The risks in a personal data incident can consist of someone losing control over their own personal data or that their rights are restricted. A personal data incident has occurred if, for example, data concerning one or more registered persons has:

  • been destroyed,
  • otherwise lost, or
  • gotten into the wrong hands.

A personal data incident is thus a security incident that has affected the confidentiality, accuracy or availability of the data. 

An example of when a personal data breach has occurred is when: 

  • An unauthorized party has gained access to personal data, for example if someone has sent personal data to recipients who should not have the data.
  • Computers containing personal data have been lost or stolen.
  • Someone has altered personal data without permission.
  • The personal data is not available to those who need it, and this leads to negative effects for the registered persons.

The University of Gothenburg is responsible for handling and assessing personal data incidents that occur within the university's operations, including within student projects (for example essays, projects or other assignments). 

How to report a personal data incident

When you suspect that a personal data incident has occured at the University of Gothenburg, you must report it as soon as you become aware of it. You do this by sending an email to dataskydd@gu.se with a copy to your supervisor or the teacher responsible for the course.

The Data Protection Group at the university will then begin documentation and assessment of the incident. When reporting, the information described below should be included.  

It is very important that reporting is done quickly, as serious incidents must be reported to the Swedish Authority for Privacy Protection (IMY) within 72 hours of the incident being discovered. During the 72 hours, the Data Protection Group at the university and the Data Protection Officer must have time to make their assessment of the incident.

This must be included in the reporting

  • Time and date when the incident was discovered.
  • Time and date when the incident occurred, alternatively an estimate of how long the incident has been going on.
  • A brief description of the incident, what has happened?
  • What types of personal data is affected and which categories of people are affected (for example, other students or people whose personal data is part of your project).
  • How many people are affected by the incident, and how much personal data is affected for each affected person? 
  • Contact details of the person responsible for your course and the person responsible of the incident (usually you as a student when processing personal data in your project).
  • Description of any measures that have already been taken or, if the incident is no longer ongoing, description of how it has been taken care of or been corrected.

This happens after you have reported an incident

After the Data Protection Group receives your report, the incident will be assigned a case number. An initial assessment is then made in consultation with you who have reported the incident and with the person responsible for the incident according to university procedures.

In some cases, the Data Protection Group contacts the Data Protection Officer to get their opinion on whether the incident should be reported to the Swedish Authority for Privacy Protection (IMY). The Data protection group contacts the Data Protection Officer when it is difficult to assess the incident or when particularly serious incidents have occurred.

The Data Protection Group, the Data Protection Officer and the person responsible for the incident develop an action plan together to handle the incident as quickly as possible. If the incident must be reported to IMY, the Data Protection Group supports the person responsible for the incident in the reporting. Examples of measures that can be taken in connection with an action plan include:

  • Changing of the processing to reduce the risk for those registered.
  • The registered persons are informed about the incident, the consequences of the incident and what measures have been taken to take care of or correct the incident. 
  • A report is submitted to IMY with information about the incident. 

Contact

Incidents must be reported to the university's Data Protection Group: dataskydd@gu.se 

A copy should be send to your supervisor or the teacher responsible for the course.