Reporting Info Sec / Data Protection Incidents & New Processing Activities

Report all incidents & any new processing activities to the Data Protection Office. We are here to help and endeavour to respond within 1 business day.

data.protection@bnc.ox.ac.uk

• Any actual or suspected breach: Any College information no longer under our control that should be.
• Near misses: Even if no harm appears to have occurred, these can still help us learn and improve.
• New systems or processing activities: To assess if a Data Protection Impact Assessment (DPIA) is needed. If not, we still record that we considered it.

• Improves support: If you’ve had an issue, chances are others may too. The College IT team can then help others.
• Prevents repetition: Identifying patterns helps stop recurring problems.
• Strengthens processes: Spotting common causes leads to better systems & processes across the College.
• Ensures compliance: Helps the College show regulators it takes its obligations seriously and evolves.
• Protects individuals: Reduces risk to staff, students, and other stakeholders.

If you’re introducing a new (or changing an existing) processing activity or system, have a brief chat with the Data Protection Office. In most cases a DPIA (Data Protection Impact Assessment) will not be required, but the College is still required to briefly document that it considered one, and why it chose not to.

• Get in touch early in change to discuss whether a DPIA may be needed.
• Collective requirement to ensure risks are managed and compliance is built in from the start.

• Reporting an incident is a positive action. Mistakes happen, and we’re here to help. Disciplinary action is highly unlikely. It is not about blame — it’s about improvement, protection, and support.
• Disciplinary action is rare and generally only considered if incidents are deliberately hidden or ignored.
• Transparency builds trust and protects everyone.