Report information security incidents and personal data breaches at Karolinska Institutet

Karolinska Institutet is obliged to promptly report if an incident occurs. According to the General Data Protection Regulation (GDPR), for instance, personal data breaches must be reported within 72 hours from discovery.

An incident involving IT, information and/or personal data can take many forms. The following are some examples of common types of incidents that must be reported.

Information leakage through unauthorized disclosure of, or access to, information may involve:

  • mistakenly sending unauthorized recipients information via e-mail/letter/text message (SMS),
  • due to a flaw in a technical system, large amounts of personal data being disclosed to unauthorized persons (regardless of whether those persons are tied to KI or not).

Information loss caused by, for instance, theft, loss, destruction or alteration if e.g.:

  • information has been lost due to a computer/telephone/USB memory/tablet/document or other equipment containing information having been stolen, lost or destroyed.

Information tampering, if e.g.:

  • information has been altered by an authorized or unauthorized individual, which in turn has jeopardized the correctness of the information.

IT attacks such as:

  • malware or malicious code,
  • availability attacks (e.g. Denial-of-service attacks),
  • intrusions or intrusion attempts,
  • attempts to get hold of information or money, e.g. through phishing or social engineering,
  • hijacked, or suspected hijacking of, KI login credentials.

1. Contact information

1.2. Field of work

2. About the incident

2.1. Is any IT system or service involved in the incident?
2.4. What type(s) of information has been affected by the incident? Mark all alternatives you believe to be correct.
2.5. Does the information belong to any other organization than KI (e.g. if KI is processing data for another organization under a so called DPA)?
2.6. What happened during the incident? Mark all alternatives you believe to be correct. (Definitions can be found at the top of the page, above this form.)
* Examples of protective measures: encrypted hardware (e.g. computer, USB memory stick or hard drive) or encrypted information, revoked user access rights, information restored from backups, etc.
2.8. Does the incident involve personal data?

3. Personal data breaches

3.2. If you do not have an exact number, please provide an estimate by marking one of the options below. Please mark only one box.
3.4. If you do not have an exact number, please provide an estimate by marking one of the options below. Please mark only one box.
3.5. What group(s) do the data subjects belong to? Mark all alternatives you believe to be correct.
3.6. What type(s) of personal data has been affected by the incident? Mark all alternatives you believe to be correct.
* According to GDPR, personal data “means any information relating to an identified or identifiable natural person (‘data subject’)”. Data such as name, address or social security numbers is, for instance, considered personal data, but personal data can also come in other forms – such as photos of someone.

** Information related to one of these special categories is considered sensitive personal data:

Racial or ethnic origin;
Political opinions;
Religious or philosophical beliefs;
Trade union membership;
Health data;
Sexual orientation;
Genetic data; and
Biometric data (where processed to uniquely identify someone).
3.7. Has the incident affected persons outside of Sweden?
KI webbförvaltning
14-12-2023