A 'personal data breach' is defined under Article 4(12) of the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The key element is the involvement of personal data. An organisation's information security policy is a general procedural document and does not typically contain personal data. Therefore, its deletion is an information availability issue but not a personal data breach. The other scenarios all involve security incidents affecting the personal data of customers, employees, or students.

B. The unauthorised changing of a person's address details is a breach of data integrity affecting personal data.

C. The accidental destruction of an employee's HR file is a breach of data availability affecting personal data.

D. The loss of a memory stick with student details is a breach of confidentiality and availability affecting personal data.

1. Regulation (EU) 2016/679 (General Data Protection Regulation).

Article 4(12): Defines 'personal data breach' as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data..."

Article 4(1): Defines 'personal data' as "any information relating to an identified or identifiable natural person..."

2. Information Commissioner's Office (ICO). "Guide to the General Data Protection Regulation (GDPR) - Personal data breaches."

Section: "What is a personal data breach?" This official guidance states, "A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data." It confirms that the incident must involve personal data to be classified as such a breach.

3. European Data Protection Board (EDPB). "Guidelines 9/2022 on personal data breach notification under GDPR," Version 2.0, 28 March 2023.

Section 2.1, "Definition of a personal data breach": This document reiterates the GDPR definition and provides examples, clarifying that the three types of breaches (confidentiality, integrity, availability) must relate specifically to personal data. The deletion of a non-personal document like a policy does not meet this criterion.