1. Objective

To provide guidelines for data breach and reporting.

  • Scope

These guidelines shall apply to all University units.

  • Responsibility

The Process Owner or Head of Office shall be responsible for the implementation of these guidelines.

  • Guidelines
    • In the event that there is reasonable belief that a security incident or personal data breach has occurred, the facts and circumstances regarding the same shall be immediately reported to the Head of Office, who, in turn, shall immediately report the matter to the DPO for verification.
    • If the DPO has ascertained that there is a likelihood that a personal data breach has indeed occurred, the DPO shall convene the DBRT, which shall determine whether or not a personal data breach requiring notification under the DPA has occurred, and the relevant circumstances surrounding the reported security incident or personal data breach.
    • If required by the circumstances, the DPO shall notify the NPC and the affected data subjects pursuant to the requirements and procedures prescribed by the DPA.
    • The notification to the NPC and the affected data subjects shall at least describe the nature of the breach, the personal data possibly involved, and the measures taken by the University to address the breach.
    • The notification shall also include measures taken to reduce the harm or negative consequences of the breach to the data subjects, as well as and the name and contact details of the DPO.
    • The form and procedure for notification shall conform to the regulations and circulars issued by the NPC, as may be updated from time to time.
    • All security incidents and personal data breaches shall be documented through written reports, including those not covered by the notification requirements.
    • In the case of personal data breaches, a report shall include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by the University.
    • In other security incidents not involving personal data, a report containing aggregated data shall constitute sufficient documentation.
    • A general summary of the reports shall be submitted by the DPO to the NPC annually.