Security and protection of personal data
The protection of personal data is crucial to our fundamental rights and freedoms.
An adequate level of personal data protection must be ensured at all stages of processing in order to guarantee the continuity of the University of Silesia in Katowice and minimise the risk of infringement of the rights or freedoms of natural persons and the risks associated with processing, in particular those resulting from accidental or unlawful destruction, loss, modification, unauthorised disclosure or unauthorised access to personal data transmitted, stored or otherwise processed.
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), abbreviated as GDPR, introduced basic mechanisms to ensure an adequate level of security of the rights and freedoms of natural persons, including personal data. Data protection prevents identity theft, fraud and other abuses. By protecting data, we protect our privacy and security.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific and sufficient to identify uniquely the physical, physiological, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. A breach may result in the risk of identity theft, blackmail or fraud, loss of trust in the University of Silesia in Katowice, or legal and financial consequences (e.g. penalties imposed by the President of the Personal Data Protection Office).
- Sending emails to multiple recipients without using the UDW ‘blind copy’ function. This applies in particular to sending emails to private addresses;
- Sending an email or paper correspondence containing personal data to the wrong recipient;
- Unauthorised – caused by error or intentional action – deletion of personal data without proper authorisation/request;
- Loss/theft/misplacement of media such as USB sticks, memory cards, portable drives, laptops, mobile phones on which personal data is stored, including the loss of paper documentation containing personal data;
- Disposal of documents containing personal data without permanent destruction (failure to use a shredder or secure bin);
- Disclosure of personal data to an unauthorised entity or person/lack of legal basis for disclosure;
- Lack of access to personal data (e.g. in IT systems, on hard drives, servers) through, for example, a ransomware attack, which involves a hacker encrypting drives in order to obtain a ransom;
- Intentional or accidental damage to the system, resulting in the loss of access to personal data.
If you suspect or discover a personal data breach in your environment, you should report it immediately, without undue delay.
Please remember that the University of Silesia in Katowice, as the data administrator, is obliged to report any data breach to the President of the Personal Data Protection Office no later than 72 hours after discovering the breach.
In the absence of an adequate and rapid response, a personal data breach may result in physical injury, material or non-material damage to individuals, such as loss of control over their personal data or restriction of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, breach of confidentiality of personal data protected by professional secrecy, or any other significant economic or social damage.
REPORTS SHOULD BE MADE – PREFERABLY IN WRITING
- to the Data Protection Officer at the following e-mail address: dariusz.pawelczak@us.edu.pl or iod@us.edu.pl, tel. 32 359 24 36;
- or to the Data Protection Officer’s Team at the following e-mail address: aneta.landrat@us.edu.pl, tel. 32 359 24 33;
- Reports can also be made in person at the Data Protection Officer’s office at the following address: Katowice, ul. Bankowa 14, room no. 334, 2nd floor.
A report of a personal data breach should include:
- the date of the incident (optionally the time of the incident);
- description of the nature of the breach, detailed description of the incident;
- description of the circumstances of the incident;
- category and approximate number of persons concerned;
- contact details of the person reporting the breach (telephone number, e-mail address, USil unit).
- Only work on your own account in the IT system
to which you have been granted access; - Create strong passwords for systems consisting of at least several characters, including lowercase and uppercase letters, numbers and special characters. Do not use words that can be found in dictionaries to create passwords, do not use your personal data such as first names, surname, date of birth, etc.;
- Keep your passwords and IDs to yourself: do not share your passwords with anyone, do not write them down in a visible place, keep your IDs for accessing IT systems safe;
- Follow the clean screen, clean desk and clean printer rule:
– do not save files on your computer desktop, keep only standard desktop icons;
– lock your computer if you leave your workplace even for a moment (Windows key + L);
– collect printouts and copies from printers/photocopiers immediately after printing/copying;
– when you finish work, put documents away in lockable cabinets and desks; - Protect media containing personal data from loss, theft or damage;
- Destroy media containing data that you no longer need – destroy paper documents in a shredder or put them in a ‘secure bin’;
- Be careful when discussing work matters – do not disclose
information about work in public places (e.g. public transport, restaurants, telephone conversations in public places, etc.) or in private conversations. Maintain the good image of the University of Silesia; - Lock your office when you leave it if no one else is there;
- Be careful when using online resources – email, websites, social media;
- Watch out for suspicious text messages;
- Protect your personal data by pseudonymising and anonymising it wherever possible.
Mandatory training on security and personal data protection
ATTENTION!
In order to continuously raise employee awareness of personal data protection, the Data Protection Officer Team recommends regular participation
in available training courses on information security and data protection.
E-learning courses are available on our Moodle training platform.
Links to training courses:
- Personal data protection – part 1 (GDPR1)
- Personal data protection – part 2 (GDPR2)
In addition to the training courses available on the platform, we encourage you to participate in on-site training courses organised by the Data Protection Officer Team.
The training courses are organised on a regular basis. Additionally, the head of a USil unit may request the Data Protection Officer Team to organise a training course.