A security incident is an error or leak in a system that is used. As a result of this error or leak, a system may no longer be reliable or available, for example. A security incident is not always a data breach. We speak of a security incident when no personal data are involved in a fault or leak. For example, if a laptop gets lost, but access to it is not possible due to security measures, we speak of a security incident. A data leak concerns possible, unauthorised access of third parties to personal data. Data leaks are usually caused by human actions.
Examples of data leaks:
- A wrongly sent email, or an email with the recipients in the to- or cc-field instead of the bcc-field.
- The loss of your business mobile phone or laptop with the risk of personal data leaks.
- An incorrectly sent or delivered letter.
- Loss or theft of a usb stick containing personal data.
- Personal data that is processed or viewed by an employee who does not have the authority to do so.
- A fire in the server room and no back-up available, resulting in the loss of personal data.
What should you do in the event of a security incident or a (possible) data breach?
- go directly to or call the privacy coordinator (PC) of your own institute or NWO-I office
- or send an email to firstname.lastname@example.org with a cc to the privacy coordinator of your own institute or NWO-I office.
It is important that you report a security incident or data breach as soon as possible and with as many details as possible. Your privacy coordinator can help you with this. The data breach team will then ask you for more information and advise you and your manager to take certain measures in order to limit the consequences of the security incident/data breach as much as possible. You will be informed whether a data breach must be reported to the Personal Data Authority and/or NWO-I's business relations.