Skip to main content

Report a personal data breach

If you are a member of the Tampere University community, whether staff or student or a user of our services and you observe a personal data breach or suspect one, here are instructions on how to proceed. Your prompt response will help in promptly investigating any potential security breaches.

Definition

A personal data breach refers to an event as a result of which personal data is destroyed, lost, changed, disclosed without authorisation or accessed by a party that does not have the right to process the data.

Notification of a personal data breach: Instructions for staff, students and users of our services

A personal data breach or suspicion of a personal data breach may be reported with a low threshold. Based on the contact, we will initiate an investigation into the personal data breach and take the necessary measures.

Report a personal data breach or other data security incident to an organisation that processes your personal data as a controller:

University of Tampere (TAU) addresses: dpo [at] tuni.fi and tietoturva [at] tuni.fi  (2 addresses)
or
Tampere University of Applied Sciences (TAMK) addresses: tietosuoja.tamk [at] tuni.fi and tietoturva [at] tuni.fi (2 addresses).

Type “Security Breach Notification” or another descriptive title in the subject line of the email . In the notification, state:

•    How did you discover or find out about it?
•    When (date and time) did you discover or receive information about it?
•    What is the incident about?
•    Which handling, program, application or system does your notification concern?
•    Your phone number and email address for more information.

Investigating a personal data breach usually requires additional information from the whistleblower, so we hope that you also provide your contact information. Please do not send personal data protected by unsecured email (such as your social security number) or confidential information. Unsecured e-mail may only be used to inform you that a personal data breach has occurred or that you suspect that one has occurred.

If you have been informed of a suspected unlawful processing of personal data or a personal data breach in the performance of your duties and wish to report your observations anonymously, you can request that the matter be investigated anonymously through the reporting channel referred to in the Act on the Protection of Whistleblowers. Instructions for submitting a request for information referred to in the Act on the Protection of Whistleblowers can be found on the intranet.

You can get advice on reporting from the Data Protection Officer. Contact information can be found in section Advice.

Notification of personal data breaches: Instructions for the service provider or other processor

Everyone processing data on behalf of and on behalf of a higher education institution ('processor') is obliged to notify without delay the university acting as controller of a personal data breach that they have detected or become aware of.

A personal data breach is notified to the controller by e-mail:

University of Tampere (TAU): dpo [at] tuni.fi and tietoturva [at] tuni.fi 
or
Tampere University of Applied Sciences (TAMK): tietosuoja.tamk [at] tuni.fi and tietoturva [at] tuni.fi

The email should be titled Data Breach Notification or in another way that clearly states the matter.

The processor must confirm the accuracy of the finding of a personal data breach before notifying it. The processor must always report a personal data breach compromising the confidentiality of personal data without undue delay, such as findings of shortcomings in the protection of personal data. The processor does not need to assess the likelihood of a personal data breach before notifying it. It is the controller's responsibility to carry out such an assessment. The processor shall only investigate whether a personal data breach has occurred and notify thereof without delay. Lack of accurate information shall not constitute an obstacle to notification without delay.

Unsecured e-mail may only be used to send information that a personal data breach has occurred. If the notification of a personal data breach contains personal data to be protected, special categories of personal data or confidential information, the notification must be made by secure email or in some other way that protects the data.

In its notification of a personal data breach, the processor shall at least:

  1. Describe the personal data breach, including, where possible, the categories and estimated numbers of data subjects concerned and the categories and estimated numbers of types of personal data;
  2. Indicate the name and contact details of the data protection officer or another contact point where further information can be obtained;
  3. Describe the likely consequences of the personal data breach, and
  4. Describe the measures it has taken in response to the personal data breach, including, where appropriate, measures to mitigate any adverse effects and the measures it proposes to the controller.

In addition to the notification, the processor shall provide written documentation or a corresponding report on the incident without undue delay. It shall describe the corrective measures taken by the processor to stop the personal data breach and reduce the damage caused to data subjects. It is not required if the notification of the personal data breach has included all the information specified in the General Data Protection Regulation and in the agreements and instructions between the university and the processor. If it is not possible to submit all the information at the same time, the information can be submitted in stages.

Processing of the notification

We document all reports and personal data breaches that have occurred. An email notification of a personal data breach is forwarded to the university's Data Protection Officer and Information Security Manager for processing. In addition to them, members of the privacy team and security team have access to the report, who can also investigate what happened.

If necessary, a liquidation or similar consultation shall be arranged between the various experts and the parties. As a controller, we report the incident to data protection authorities, joint controllers and other parties, if necessary. As the controller, we will also notify those whose personal data has been involved if necessary.

Personal data breach processing data is stored for 10 years after the reported or detected personal data breach has been investigated and related matters have been resolved. Unjustified reports and unnecessary personal data can be deleted earlier. An individual report may be kept for a longer period if this is necessary for the establishment, defence or defence of legal claims.

Counselling

For advice on reporting a personal data breach, please contact:

University of Tampere (TAU)

Sanna Vartia, Data Protection Officer of the University of Tampere, 
at dpo [at] tuni.fi or by phone +358 (0)294 5211 (university switchboard)
when it comes to university information or services.

Tampere University of Applied Science (TAMK)

Tampere University of Applied Sciences Data Protection Officer Niku Hinkka
from tietosuoja.tamk [at] tuni.fi or by phone + 358 (0)294 5222 (University of Applied Sciences switchboard) 
when it comes to information or services of the University of Applied Sciences.

Link to the topic on the website of the Data Protection Ombudsman.