Reporting of Information Security Incidents

All attacks on the IT systems, the unauthorized handling of personal or sensitive data (information security incidents) or suspicions thereof must be reported to the university. These include, for example:

• Attacks on central IT systems (PAUL, PANDA, MACH) or decentralized IT systems (survey systems or research databases) in which attackers may have gained knowledge of or access to personal data,
• System changes or spying out access codes (passwords) through mass distribution of viruses, malware and/or spam e-mails,
• The unintentional misconfiguration of systems resulting in personal data being published,
• Sending of personal data accidentally to an e-mail distribution list to which the personal data does not belong,
• The loss of a mobile terminal device (notebook, smartphone) or data medium (USB stick) on which personal data is stored,
• The inadmissible publication of paper-based documents such as posting names with exam results.

Executing a notification

If an alleged or actual information security incident – whether intentional or unintentional – occurs, please complete the notification form with all known facts:

• PDF: Incident Report.pdf
• Word: Incident Report.docx
• OpenOffice: Incident Report.odt

In the event of loss or theft of a mobile device or data medium containing personal data, please also complete the following:

• PDF: Supplementary questions for reporting a loss of data media.pdf

Execute a notification as soon as possible. Please involve your department management and data protection coordinator and, if necessary, any colleagues & administrators affected prior to reporting the incident.

Send the completed notification form via E-Mail to vorfall@upb.de

The notification form may only be omitted if it is with certainty that the incident has been reported prior by other employees. If there is any doubt, notification is required. 

Processing of the notification by the incident team

Reports submitted are handled by an “incident team”. This team includes the Data Protection Officer, Information Security Officer, CIO and the Central Data Protection Coordinator. The incident is examined and evaluated; for which, if necessary, queries are made to the reporting person or the organizational unit.
Management of the organizational unit will also be contacted or invited for further information. If necessary, additional persons may be contacted (e.g. administrators with knowledge of system details or external security experts).

If there are possible risks associated for those affected, the incident will then be reported to the supervisory authority as quickly as possible (usually within 72 hours of the notification). If necessary, the persons concerned are also informed regarding the data protection violation. Due to the obligation to give reasons to the authority in the event of a late report, the time of discovery should always be logged.

In any case, the incident is documented within the university and the affected organizational unit & university management receive a corresponding report.

Background

The unauthorized use of sensitive and/or personal data may have negative consequences for the university and/or for the person(s) concerned.

In the event of a “breach of the protection of personal data” (data protection breach), the university is obliged, in accordance with Article 33 of the European General Data Protection Regulation (EU-GDPR), to react quickly, to take effective countermeasures and, if necessary, to report the incident to the responsible supervisory authority. The supervisory authority for the university is the State Commissioner for Data Protection and Freedom of Information NRW. (German Only)

Data breaches are breaches of data security resulting in the destruction, loss or alteration of personal data, or disclosure to unauthorized persons or unauthorized access to personal data. (cf. Art 4 No. 12 EU-GDPR)

In order for the university to meet its timely reporting obligations in accordance with the GDPR, it is dependent on its staff and organizational units being informed of all information security incidents reliably and immediately once known. It is irrelevant whether the incidents are recognized by university staff, reported by a processor or brought to the university’s attention from an outside source. 

The university is obliged to document data protection violations including all facts, their effects and the measures taken. The content of this internal documentation goes beyond the content of a simple notification of the violation to the supervisory authority.