Data Breach Reporting Procedure
The operating procedures below apply to reports of personal data breaches by parties external to the University of Turin and are an extract from the 'Data Breach Procedure' available on the University intranet.
'Data Breach' refers to accidental or unlawful action leading to the destruction, loss, alteration, unauthorised disclosure of or access to personal data which has been transmitted, stored or otherwise processed (Art. 4 para. 1 No. 12 GDPR).
Breaches can be classified based on three information security principles:
- breach of confidentiality or privacy: this occurs by unauthorised or accidental disclosure of or access to personal data
- integrity breach: this occurs by unauthorised or accidental alteration of personal data
- breach of availability: this occurs by accidental or unauthorised loss, access or destruction of personal data
A security incident is defined as a series of one or more unwanted, abnormal events that could compromise the University's normal activities and threaten the security of its information, adversely affecting its confidentiality, integrity and availability and potentially impacting natural persons’ rights and freedoms (Art. 33 GDPR).
The procedure outlines the operational methods for reporting possible personal data breaches (actual, potential or suspected) by parties external to the University (ie students, general public, companies and public organisations). Students are considered external only for the purposes of this personal data breach detection procedure.
The person who reports a breach must always provide their personal and contact details and cooperate during the preliminary stages of the procedure.
Anyone outside the University community who discovers even a possible breach of personal data relating to the University of Turin can make a report:
When an external user reports a data breach to the University, it prompts an examination and investigation process involving immediate communication with those holding different levels of responsibility. It initiates enquiries to ascertain the nature of the incident and assess the risk and seriousness of the event in accordance with European Data Protection Regulation (GDPR) methods and timeframes.
Once the breach analysis and risk assessment have been concluded, the Supervisory Authority and data subjects will be advised, depending on the seriousness of the event.