The new legal framework dealing with the protection of personal data establishes very strict measures in relation to security breaches that may occur when organizations process personal data.
This resolution updates the Resolution of 18 January 2012 regulating the procedure for reporting, handling and responding to security incidents affecting personal data and adapts its procedure to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC (hereinafter GDPR). One of the characteristic features of the new legal framework on data protection is the need to report to the supervisory authorities (the Catalan Data Protection Authority in the case of UPF) within 72 hours of any security breach that may occur, as well as to notify data subjects of security breaches that may pose a high risk to their rights and freedoms.
In accordance with article 73 of Organic Law 3/2018, of 5 December, on the protection of personal data and the guarantee of digital rights (hereinafter, LOPDGDD), failure to comply with the duty to report to the competent supervisory authority or to notify the data subject of the security breach may result in the University committing a serious infringement.
In view of this regulation, there is a need to update the procedure for reporting and handling security breaches that may occur at the University in relation to the processing of personal data that it carries out.
Hence, by the powers invested in me by Article 52 of the Statutes of Pompeu Fabra University,
I HAVE HEREBY DECIDED:
Article one.- To approve the procedure for reporting and handling security breaches of personal data processed by Pompeu Fabra University, as set out in the appendix hereto.
Article two.- To authorize the general manager to take any appropriate action to deploy and implement this resolution.
Sole repealing provision
The Resolution of 18 January 2012 regulating the procedure for reporting, handling and responding to security incidents affecting personal data is repealed.
Sole final provision
This resolution comes into force from the day following its publication.
Oriol Amat i Salas
Barcelona, 26 October, 2021.
PROCEDURE FOR REPORTING AND HANDLING SECURITY BREACHES OF PERSONAL DATA PROCESSED BY POMPEU FABRA UNIVERSITY
Article 1.Purpose and scope of application
1. The purpose of this procedure is to establish the mechanisms for reporting and handling any security breaches that may occur in the processing of personal data by the University. A breach of the security of personal data is understood as any situation that involves the destruction, loss, accidental or illegal alteration, communication, access or unauthorized publication of personal data processed by Pompeu Fabra University, both as data controller and as data processor.
2. This procedure applies to PDI, PAS, students, staff subcontracted by UPF and anyone who interacts with the University who is aware of a security breach of the personal data processed by the University.
Article 2.Internal communication procedure
1. Anyone who has evidence of a possible breach of the security of personal data must notify the University’s Data Protection Officer immediately and without undue delay via the email address [email protected]
2. This notification must set out:
a) The date and time of detection of the security breach and, if known, when it began.
b) A description of the security breach, if possible indicating:
- The type of breach (deletion or loss, improper alteration, improper disclosure, publication, etc.)
- The extent of the breach (number of people affected, number of people who have had unauthorized access to information, etc.)
- The types of data affected (identification data, academic data, financial data, health data, etc.)
c) Where appropriate, measures adopted or proposed to avoid or minimize possible harm.
d) The identification and contact details of the person reporting the breach.
e) Any other information deemed useful for handling the security breach.
Article 3.Verification of internal communication
1. Immediately after receiving a report of a possible security breach, the Data Protection Officer must analyse it in order to verify its existence and possible extent.
2. Given that there is a window of only 72 hours between detecting a possible security breach and reporting it to the supervisory authorities, the tasks of verifying a possible security breach should receive immediate support from other University staff.
3. If the existence of a security breach is confirmed, the Data Protection Officer will immediately notify the general manager and the head of the service or administrative unit or principal investigator of the research group responsible for the management of the processing of the personal data affected.
4. The Data Protection Officer, together with the head of the service or administrative unit or principal investigator of the research group involved or the person in whom s/he delegates, will jointly determine the extent of the situation and the proposed actions to be taken to resolve or to mitigate the security breach, as well as try to prevent it from happening again in the future.
5. The person in charge of ICT security may be asked to cooperate if deemed necessary to implement the tasks set out in the previous point.
Article 4.Reporting to the supervisory authority
1. Pursuant to Article 2.i) of the rector’s Resolution of 4 December 2018 on organizational measures in the field of the protection of personal data at UPF, it is the responsibility of the general manager to report to the Catalan Data Protection Authority (hereinafter, APDCAT), in accordance with the provisions of Article 33 of the GDPR, any breaches of security concerning personal data under the responsibility of Pompeu Fabra University.
2. The University’s Data Protection Officer will draw up a proposal for notification addressed to the APDCAT which will contain the points set out in Article 33.3 of the GDPR.
3. The Data Protection Officer will send the proposal for notification to the general manager sufficiently in advance for the latter to review it, amend it, should the latter deem such appropriate, and send it to the APDCAT within 72 hours of the detection of the security breach, as established by law.
Article 5.Notifying those affected
1. In the event that a breach of the security of personal data may pose a high risk to the rights and freedoms of the data subjects, the University will inform them without undue delay.
2. Such notification will not be required when:
a) The University has adopted suitable technical and organizational measures to protect the personal data affected by the security breach, especially such that render personal data unintelligible to any person who is not authorized to gain access to them, such as encryption;
b) The University has taken subsequent measures to ensure that the possibility of the existence of a high risk to the rights and freedoms of those concerned no longer exists.
3. This notification will outline the nature of the breach, its possible consequences, the steps taken, and the recommendations so that persons may mitigate any potential adverse effects.
4. Data subjects may request that the University keep them informed of the development of the security breach.
5. In view of the proposal made by the Data Protection Officer, it shall fall with the general manager to decide whether or not to report a security breach to the data subjects.
6. Should the general manager deem it appropriate to report a security breach to the data subjects, it is the responsibility of the Data Protection Officer to issue such notification and to monitor the security breach.
7.When notifying the data subjects involves a disproportionate effort, it will be necessary to assess the appropriateness of issuing a public notification or an equivalent measure, which informs the data subjects with equal effect.
Article 6.Monitoring reported security breaches
1. It is the responsibility of the Data Protection Officer to liaise with the APDCAT in relation to reports by the University of security breaches.
2. It is the responsibility of the Data Protection Officer to monitor the actions to be taken to resolve or minimize the effects of the security breach, as well as to prevent the situation from occurring in the future.
3. The Data Protection Officer shall periodically inform the general manager and the heads of the services, administrative units or principal investigators of the research groups involved in data processing of the security breach until it can be considered a closed matter and it has been possible to verify the effectiveness of the measures taken accordingly.
Article 7.Records related to personal data protection security breaches
1. It is the responsibility of the Data Protection Officer to keep a record of security breaches in regards of personal data protection of which the University has reported to the APDCAT.
2. The Record of security breaches will contain:
a) The date and time of becoming aware of the breach.
b) An identification code.
c) The classification of the security breach.
d) The date and time of the events (if known).
e) A summary of the incident.
f) A statement of the events.
g) A list of the data affected.
h) A list of the persons affected.
i) The possible effects on the data subjects.
j) A copy of the notification to the APDCAT.
k) An analysis of whether or not there is a need to inform the data subjects.
l) When applicable, a copy of the notification to the data subjects.
m) A list of corrective or mitigating measures implemented.
n) A list of steps taken to prevent the security breach from happening again.
o) The date and time of the closure of the security breach.
3. It is the responsibility of the Data Protection Officer to also keep a record of risk situations, which will contain information relating to events that were reported as a possible security breach, but were eventually ruled out.
4. The Record of risk situations will also contain information on situations in which there was a significant risk of the occurrence of a security breach, which, thanks to the actions taken, was prevented.
5. The Record of security breaches and the Record of risk situations may be accessible to the University’s management team, especially the general manager and the general secretary, and by the persons they may appoint.
Article 8.Processing agreement and joint control in the processing of personal data
1. In the event that evidence of a possible breach of security is detected in the processing of personal data carried out by the University as data controller on behalf of a third party or as joint controller together with (an)other organization(s), the possible data breach must be reported to the University Data Protection Officer in accordance with the provisions of Article 2 herein.
2. The Data Protection Officer will advise the heads of the services, administrative units or principal investigators of the research groups responsible for managing the processing agreement regarding the actions to be taken in accordance with current legislation and the provisions of the regulatory document of the processing agreement or joint control agreement.
3. In the event that the University entrusts the processing of personal data to third parties, the latter must notify the University of any possible security breaches in accordance with the provisions of this procedure. The University shall undertake to notify the APDCAT and, when applicable, the data subjects, unless another procedure is established in the processing agreement.