The early stages of dealing with these matters can be key in minimising the impact on a university and its wider reputation. We set out below our top tips to consider.
Usually the first thing to do will be to stop the situation from getting any worse. This will often involve liaising with IT and PR experts on ways to stem the problem. Do not be pressured into making a statement on the spot or feel the need to give a detailed response to initial enquiries: a reassuring holding statement will normally be fine. The full picture may not yet be clear and you will want to avoid doing or saying anything that turns out to be incorrect or inaccurate, which you could later regret.
Make sure that all enquiries from concerned individuals, stakeholders or the press are directed to an appropriate, designated individual or team. Ensure you have out of hours contact details for the key people available and sense check any holiday requests (eg to avoid all key IT managers being out at the same time).
When you become aware of a potential issue, consider investigating the position, regardless of whether any allegations may appear spurious. Think about starting work on a more detailed draft statement. If the incident attracts wider attention, you will not be given much time to consider your response. The statements you usually see in these situations are bland and short for good reason: it's a rare occasion when a very detailed response would be the best option, as that will make any press coverage longer. External PR consultants can be engaged if necessary and it may also be helpful to set up a social media and internet monitoring service with support from your communications team.
It is likely that your understanding of the position will change regularly and there will be various competing interests and obligations to consider. Consider what legal issues may be involved and how best to position yourself if a claim arises. What deadlines may be involved? Avoid actions that may increase liability (such as revealing further personal data). Police intervention or a court injunction may be required - either of which may be needed urgently to achieve the best result, or may have wider consequences.
Be aware of any obligations to report incidents (and the timing of such reports) to regulatory bodies such as the ICO or OfS, any individuals affected and your insurers. You should also check if you have insurance cover for reputation damage and any associated PR and/or legal costs.