A security incident is a breach of information security: perhaps a lost USB stick or a virus on your work laptop. As a result, you may no longer be able to access certain information, for example, while others can.

You should report a security incident to the ISSC Helpdesk as soon as you suspect or discover it. The Security Office will then be able to promptly take steps to remedy or prevent the incident. This will enable us to limit the (risk of) damage for the organisation. So be a hero: report it! Even if you’re not sure.

In the case of a data breach, someone has access to personal data when this is not permitted or intended. The definition also includes the accidental destruction, loss, alteration or disclosure of personal data due to this kind of breach.

You should report a (potential) data breach immediately to the ISSC Helpdesk. The Privacy Office will then be able to take steps as soon as possible to remedy or prevent the data breach, and to limit the (risk of) damage for the data subjects and the organisation.

The university also has a legal obligation to notify a data breach within a specified period on the basis of the GDPR. Some data breaches must be notified to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; the supervisory authority) and the affected data subjects within 72 hours. So be a hero: report it! Even if you’re not sure.

Before holding a job interview, you print the applicant’s CV. You leave the printout in the printer and a colleague finds the CV.

This is an example of a data breach. Your colleague was accidentally able to see the applicant’s personal data.

You report this data breach to the ISSC Helpdesk. The Privacy Office then takes appropriate steps, such as destroying the CV by running it through the shredder. The data breach is recorded internally. Depending on the privacy risk for the applicant, it will also be notified to the Dutch Data Protection Authorityand/or to the applicant.

You leave your work laptop on the train. The laptop is not found again.

This is an example of a security incident. If the laptop contains personal data, then it is also a data breach. The laptop is protected, so it’s unlikely that anyone else has access to the information or personal data. Nevertheless, you need to report this as soon as possible.

You report the incident to the ISSC Helpdesk. The Security Office and/or Privacy Office then takes appropriate steps, such as remote wiping of the laptop. We can then be sure that the information and possible personal data remain secure.

A student receives another student’s grade list instead of their own. The student reports this to Student & Educational Affairs (SOZ).

This is an example of a data breach. The student accidentally saw another student’s personal data. SOZ must report this to the ISSC Helpdesk as a data breach.

The Privacy Office can then take follow-up steps together with SOZ. For example, the student may be asked to return the list (if it was received on paper) or to delete the file and the email (if it was received electronically). This data breach is recorded internally. Depending on the privacy risk for the other student, it will also be notified to the Dutch Data Protection Authority and/or to the other student.