How to report a security breach that does not involve personal data

Aarhus University has a strong focus on information security - in case a security breach may occur you are obligated to report it to the university...


How to report a security breach that does not involve personal data

You are obligated to report a security breach even if personal data is not invelved to your local IT-support or AU's Information Security Unit.


Procedure for security breaches

This procedure describes how reported security breaches that does not involve personal data are managed by Aarhus University:

A security breach is reported

Security breaches are reported to the local IT support team or to AU’s information security unit, but the incident will be set up and processed as a case in Cherwell (AU’s IT service management system).

  • The incident is set up as a case in Cherwell following AU's incident procedure

Phising incidents are reported via the ‘report message’ (Rapportér meddelelse) button in Outlook, here is how you rapport phishing-mail.

Assessment and possible hierarchical escalation

The assigned unit is responsible for the incident. If the incident is assigned to a different unit according to type, content and solution of the incident, then the resposibility goes with. 

  • The incident is described in as much detail as possible, for example indicating whether it is a case of stolen equipment, leaked data (data classification), etc. 
  • The incident is assessed with regard to level of severity and criticality
  • The incident is assigned to the relevant unit (It-support, Information Security Unit, others), who is responsible for:
    • to include relevant professionals
    • to secure continuity plans (if needed) according to the system owner/management
    • to communicate to relevant stakeholders (users, internal/eksternal, including authorities) 
  • Depending on the above, the information security unit assesses whether to escalate the case internally through the appropriate communication channels (to the head of information security or the management team)
  • Depending on the matter of the incident information/material is gathered as evidence if needed. The evidence is keept safe only while the case is pending.
  • Incidents that can be categorised as major system failures are processed according to the agreed procedure for IT system failure.

Finalisation of the case

  • The case is finalised
  • Relevant parties are informed

The Information Security Unit gathers information regaring security breaches to ensure learning for recommending further appropiate measures organisational or technical to improve the university's level of security.

Is there personal data involved?

If there is personal data involved in the breach, please fill out this form. 

A security breach is, e.g. 

  • Wrong information sent to the right recipient
  • Right information sent to the wrong recipient
  • Publication
  • Hacking
  • Loss/Theft of equipment, critical data or information (in electronic or physical form)