Mandatory data breach notification
Summary
The data breach notification duty applies under the General Data Protection Regulation and makes it necessary to make a notification in the event of a (suspected) data breach. Below is information on the protocol Fontys follows and how to do so within Fontys ICT.
Reporting data breaches: what, how and where?
With the introduction of the mandatory data breach notification as of 1 January 2016, Fontys ICT has an obligation to report possible data breaches to the Corporate Information Security Officer (CISO) of the Fontys University of Applied Sciences.
Not every suspicion has to be a data breach. A data breach is defined by the Personal Data Authority 1) defined as a security incident involving personal data where unlawful access, processing or loss has occurred.
These include:
- A lost USB stick containing personal data (e.g. student study results)
- A break-in by a hacker (where e.g. student data and passwords were stolen)
- Sending e-mail in which the e-mail addresses of all addressees are visible to other addressees
- A malware infection
- The visibility of other people's personal data in an application, or on a portal, that you should not see
- Letters about payments, with the name and address details of different people on each letter, all inadvertently ended up in one envelope and sent to one person
- Leaving a sheet in the printer with someone else's personal data on it
- Theft or loss of your laptop or mobile with Fontys ICT data
Not sure if you have a data breach? If so, contact the information manager to discuss the case.
At Fontys level, a form is available for reporting data breaches. Fontys ICT operates according to this protocol.
Tips to prevent data breaches?
- Don't just forward e-mails;
- Secure documents containing sensitive data with a password;
- For sending confidential emails and large files, you can use Surfilesender;
- Be careful when assigning authorisations;
- Keep documents in the appropriate place or system and do not keep extra records on them;
- Always perform updates, both of computers and your mobile phones;
- Check the sender of every e-mail, where you are not one hundred percent sure it is correct. Also, hover your mouse over the link to see if it doesn't suddenly point to a completely different website;
- Do not click on 'unsubscribe' buttons of unknown newsletters, they could be phishing emails;
- Don't scan just any QR code, it could take you to the wrong website;
- For all accounts, use a phrase as the password, at least 16 characters (you can achieve that with most phrases);
- Use a password manager, you will only have to remember one password and all other passwords will be filled in automatically;
- Never keep your laptop in the car and always take it with you wherever you are.
1)
Data breach notification obligation [article]. Retrieved 28 March 2019 from https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/beveiliging/meldplicht-datalekken