A personal data breach has taken place when the breach leads to an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal information that is transmitted, stored or otherwise processed, regardless of whether the processing is physical or electronic.
If, in connection with your master’s thesis or similar in which you have decided what you want to write about and what personal data you will be processing, you notice a breach of personal data security, you are responsible for dealing with the breach. For example, a breach of personal data security may be that you have lost your computer, which contains interview data with mentally vulnerable people, or unauthorised persons have had access to something they should not have access to.
First, you should assess whether the breach has had major consequences for those affected (e.g. involving sensitive personal data or large amounts of personal data) – and if so report the breach to the Danish Data Protection Authority. Then – whether or not you report the breach to the Data Protection Authority – it is appropriate that you inform those affected (such as people you have interviewed) about the breach. Enter into dialogue with your supervisor about the breach.