Data Breach Guide

Have you been affected by a data or security incident?

Chichester College Group (CCG) takes steps to prevent and mitigate the effects of IT Security and personal data breaches. However, we recognise incidents can happen and therefore we want all our staff, customers and stakeholders to know what to do if a breach does occur and how to protect yourself. This guidance is designed for our staff, students and other stakeholders.

Chichester College Group is a data controller and is registered with the Information Commissioner’s Office with registration number Z4919601.

What is a personal data breach?

The General Data Protection Regulation defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

A personal data breach could be due to cyber criminals, sharing your data with unauthorised persons or sending personal data to the wrong email address or postal address.

How can I protect myself?

• Never give out your login details. CCG will never ask you to disclose your password over the telephone or through email.
• Use long passwords which are not easy to guess and do not use the same password across multiple accounts.
• Do not use your CCG password on non-CCG systems.
• Do not save account passwords on publicly accessible or shared devices.
• Where possible enable multifactor authentication.
• Never transfer money or purchase gift cards if you were not expecting too.
• Use anti-virus and anti-malware software.
• Keep all of your devices and apps up to date.
• Keep confidential documents in a safe and secure place and shred or destroy old documents when they are no longer required.
• In emails and instant messaging applications treat all links and attachments as suspicious and do not open them unless you were expecting to receive them.
• Monitor your accounts both online and financial, check for unusual activity, check your email deleted items folder and flag any suspicious activity.
• Do not transfer personal or sensitive data on unencrypted removable media such as memory sticks or CDs.
• Only store data on CCG network drives or Office365 – CCG can restore you data (subject to retention schedules) from these systems if they became corrupted.

I believe I am the victim of a data breach or cyber attack

• If the breach includes Chichester College Group data or systems, you must inform the Data Protection Officer immediately. Alternatively, contact Computer Services (CSU). They will be able to provide specific advice and guidance for the type of incident you are experiencing.
• If you disclosed your login credentials or an account has been compromised change your password. Change your password on any other sites or systems where the same or similar passwords are used. You can change your College password at http://password.chichester.ac.uk
• Report all lost or stolen documents, such as passports, driving licences, credit cards and cheque books to the organisation that issued them.
• Inform your bank, building society and credit card company of any unusual transactions on your statement or if you paid any money, or provided any personal details such as your bank details.
• If you believe you have been a victim of fraud, you can also report it at https://reporting.actionfraud.police.uk.
• You can report phishing emails to the National Cyber Security Centre by forwarding it to report@phishing.gov.uk.

Chichester College Group Data Protection Officer

The Data Protection Officer provides advice and guidance on data protection compliance and monitors the Group’s compliance with data protection legislation. Anyone is able to contact the DPO for advice or to raise any concerns.

The Data Protection Officer for Chichester College Group is Benjamin Phillips.

The Data Protection Team can be reached by emailing dp@chichester.ac.uk or by calling 01243 786 321 extension 2653.

Can I contact the Information Commissioner’s Office?

The Information Commissioner’s Office (ICO) is the UK supervisory authority for data protection legislation. If an organisation experiences or suspects a personal data breach, this should be investigated. Where the investigation shows the breach did occur and there is a risk to your rights and freedoms the organisation has a duty to inform the ICO who will conduct their own investigation.

In the first instance you should contact Chichester College Group to raise any concerns or discuss the effect of a personal data breach. If you are unsatisfied with our response you also have the right to contact the ICO. They will use the information you have provided and our response to your concerns when deciding their next steps and any action they will take. This action can take a variety of forms. You should raise the matter with the ICO within three months of your last contact with Chichester College Group.

The ICO cannot act as your representative, award compensation or – apart from in the most serious cases – punish an organisation for breaking the law.

You can contact the ICO here: https://ico.org.uk/global/contact-us/

Where can I find other sources of independent advice?

If you experience a personal data breach or cyber attack the responsible organisation has a duty to provide advice and guidance. However, there are a number of other sources of advice and guidance and we have compiled a list:

Information Commissioner’s Office

• Website: https://ico.org.uk
• Telephone Number: 0303 123 1113
• Your data matters: https://ico.org.uk/your-data-matters/

Action Fraud

• Website: https://www.actionfraud.police.uk
• Telephone Number: 0300 123 2040

National Cyber Security Centre

• Website: https://www.ncsc.gov.uk

Which?

• Website: https://www.which.co.uk/consumer-rights/l/data-protection

To check if accounts associated with your email address have been compromised in a data breach use the website ‘have I been pwned?’, a free database of verified data breaches.

• Website: https://haveibeenpwned.com