Information security and compliance

Information security is a cornerstone of effective data protection, ensuring that personal data is safeguarded against unauthorised access, loss, or damage. Under the UK GDPR, organisations are required to implement “appropriate technical and organisational measures” to uphold the confidentiality, integrity, and availability of personal data, known as the CIA triad. 
Strong information security not only helps organisations comply with legal obligations but also protects individuals from identity theft, financial fraud, and other harms. It supports business continuity and reinforces public confidence in how data is handled.
The University of Westminster has policies and procedures in place and encourages staff, students and contractors to be aware of their roles and responsibilities when it comes to these matters.

For more information, refer to our IT Security and Use Policy and University Personal Data Protection Policy:

Staff and contractors may access the Information Security section on the University intranet for additional content on information security and data compliance. You will be required to log in with your staff credentials to access this section.

Students may go to the pages on our website on Working safely online and Data Protection for further information.

Report a data breach

A ‘data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This includes breaches that are the result of both accidental and deliberate causes.

If you become aware that something has gone wrong and you suspect it may be a data breach don’t delay, report it immediately following the process below.

The University is required to report significant data breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a data breach.  The decision to report or not will be made by the Data Protection Officer in consultation with others.

Here are some examples of data breaches:

  • Post or emails being sent to the wrong address/recipient
  • Incorrectly forwarding sensitive emails or using the Reply to All function without checking who should have access to the contents of the email trail
  • Personal data being used for purposes other than that for which it was collected
  • Lost or stolen paperwork, USB memory sticks, CD’s/DVD’s, laptops, phones or other electronic devices
  • Unauthorised access to documents, electronic or hard copy
  • Loss of availability where personal data cannot be accessed because of a security incident

Report the breach immediately by completing the Breach Report Form with as much detail as possible and emailing it to [email protected].