Students Staff

Loss of personal or restricted information

It’s important that we keep personal information (information about staff, students, applicants and others) and restricted information (as defined in our information policy) safe. We mustn’t lose it or share it with anyone who doesn’t have a right to see it. This doesn’t mean that we can never share information, but we should always think about the best way to do it.

From time to time we all make mistakes. If you accidentally share personal information, perhaps through emailing something to the wrong address, you must report it without delay to the Information Assurance Manager. Prompt reporting allows us to minimise the problems caused by accidental sharing, as well as ensuring we can comply with legal timetables for reporting where necessary.

  • Report accidental loss

    If you have, or think you have, accidentally shared personal or other restricted information with someone who wasn’t entitled to see it, you must report it. Send an email to the Information Assurance Manager (

    Please include as much of the following information as possible:

    • your name and contact details
    • a brief description of the incident (when did it happen, how did you spot the error, what information was involved, who was it shared with, what caused the accident to happen etc.)
    • any action you’ve taken already to alert people or change practice to avoid the same problem happening again
    • names of anyone else you’ve reported this to (e.g. your line manager)

  • What happens next

    The Information Assurance Manager will want to address and repair the damage done, offer support to people whose information has been compromised, and offer support and training to you to prevent a repeat incident.

    They will take some or all of the following steps:

    • speak to you to find out exactly what happened and why
    • decide whether it’s possible to retrieve the information
    • if it’s personal information, decide whether the people whose information has been released should be contacted with an explanation and apology
    • decide if further action needs to be taken to protect the people whose information is involved or to protect the University
    • review systems and processes to see if they need to be changed
    • review the training and support available
    • offer training and support to you
    • report the incident to the Director of IT Services for further action
    • if it’s personal information, report the incident to the Information Commissioner

  • How to avoid information loss

Deliberate misuse

Deliberately sharing personal information with someone who doesn’t have a right to see it is an offence. Serious action will be taken against any member of staff who abuses their access to personal information.