Reporting of Information Security Incidents
All attacks on IT systems and all unauthorized handling of personal or sensitive data (information security incidents), or any suspicions of such incidents, must be reported to the university. These include, for example:
- Attacks on central IT systems (PAUL, PANDA, MACH) or decentralized IT systems (survey systems or research databases), where attackers may have gained access to or knowledge of personal data;
- System changes or spying out access codes (passwords) through the mass distribution of viruses, malware and/or spam emails;
- The unintentional misconfiguration of systems resulting in personal data being published;
- The inadvertent distribution of personal data to an email distribution list to which it does not belong;
- The loss of a mobile terminal device (e.g. notebook, smartphone) or data medium (e.g. USB stick) on which personal data is stored;
- The inadmissible publication of paper-based documents, such as posting names with exam results.
Executing a notification
- If an alleged or actual information security incident occurs, whether intentional or unintentional, please complete the notification form with all known facts. You can find the form in the “Relevant Documents” section below..
- If a mobile device or data medium containing personal data is lost or stolen, please also fill out the data media loss form. You can again find this form in the “Relevant Documents” section below.
Notify us as soon as possible. Prior to reporting the incident, please consult your department management, data protection coordinator and any affected colleagues and administrators.
Send the completed notification form via email to vorfall[at]upb[dot]de.
The notification form may only be omitted if it can be confirmed that the incident has already been reported by other employees. If there is any doubt, notification is required.
Handling of the notification by the incident team
Reports submitted are handled by an 'incident team'. This team includes the Data Protection Officer, the Information Security Officer, the CIO and the Central Data Protection Coordinator. The incident is examined and evaluated, and queries are made to the reporting person or the organizational unit if necessary.
Management of the organizational unit will also be contacted for further information, if necessary. Additional persons may also be contacted (e.g. administrators with knowledge of system details or external security experts).
If the incident poses any risks to those affected, it will be reported to the supervisory authority as soon as possible (usually within 72 hours of notification). The persons concerned are also informed of the data protection violation, if necessary. Due to the obligation to provide reasons to the authority in the event of a late report, the time of discovery should always be logged.
In any case, the incident will be documented within the university, and the affected organizational unit and university management will receive a corresponding report.
Background
Unauthorized use of sensitive and/or personal data may have negative consequences for the university and/or the person(s) concerned.
In the event of a 'breach of the protection of personal data' (data protection breach), the university is obliged, in accordance with Article 33 of the European General Data Protection Regulation (EU-GDPR), to react quickly, take effective countermeasures and, if necessary, report the incident to the relevant supervisory authority. The supervisory authority for the university is the State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia. (German only)
A data breach is a breach of data security resulting in the destruction, loss or alteration of personal data, or disclosure to unauthorized persons or unauthorized access to personal data. (cf. Art. 4 No. 12 EU-GDPR).
To meet its timely reporting obligations under the GDPR, the university depends on its staff and organizational units reliably and immediately informing it of all information security incidents once they are known. It is irrelevant whether incidents are recognized by university staff, reported by a processor, or brought to the university’s attention by an outside source.
The university must document all data protection violations, including the facts, effects, and measures taken. This internal documentation must include more than just a notification of the violation to the supervisory authority.
Relevant Documents
Reporting an Information Security Incident
Reporting a Data Carrier Loss