Incident handling

Data User

Department

Department

Head

Data Protection Office

What personal data were concerned?
How many data subjects were/could be affected by the data breach?
What is the nature of the data breach (e.g. leakage, loss, unauthorized use, etc)?
When, where and how did the data breach take place?
What was the duration of the data breach?
When, where, how and by whom was the data breach discovered?
What was the cause of the data breach?

* Report incident to DPO office as soon as possible

Head

Factors for Escalation

Head

Department will file the report for record.

Head

Relevant Parties

Notify

University Data Protection Officer
PCPD Privacy Commissioner – report details, DPO practice in place, remedial actions. Fill in PCPD Data Breach online notification form
Affected data subjects
Develop and Execute remediation plan

When an incident happens,

Do discovery and report by/in the Concerned Faculty / Department / Centre
Inform/ Report the incident with DPO office and Head of Faculty / Department / Centre, with consideration of Part VII of Code of Practice
Assess and take actions including consideration of factors by the Concerned Faculty / Department / Centre head in Charge
DPO office with IT Security to
- Issue a Preliminary Written Advice to the Relevant Office/Work Unit with reference to here
- Review and Consider the Formal Report if submitted pursuant to Part VII (with discussion with relevant colleagues)

Data user’s database containing personal data being accessed without authorization.
The improper handling of personal data such as improperly sending it to the wrong party or unauthorized access of the data.
The disclosure of personal data to a third party who obtained it by deception.
The loss of personal data kept in storage, eg. Portable devices, backup systems.