A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss or alternation of personal data. Personal data breaches must be reported in the IA system as soon as possible.
A personal data breach can also be the unauthorised disclosure of or access to data. Breaches can be accidental or deliberate.
Some examples of personal data breaches:
- Computers with personal data are stolen or lost.
- Unauthorised access to personal data, e.g. sending an email with personal data to the wrong recipient, or using the wrong access settings for a folder.
- Someone changing personal data without permission.
- Personal data no longer being available to those who need it, with negative consequences for the data subject. An example is if original data are unintentionally destroyed and cannot be recreated.
Personal data breaches must be reported
SLU must document all personal data breaches that occur. If the breach involves risks to the rights and freedoms of data subjects, the incident must also be reported to the Swedish Authority for Privacy Protection (IMY).
This must be done within 72 hours of SLU finding out about the breach. The report is submitted by the SLU data protection officer. All SLU staff must report incidents as soon as possible. This is done through the IA system.
If you are not sure if the incident was a personal data breach, contact firstname.lastname@example.org. Write PUI in the subject line.