Report a data breach
A personal data breach happens when data has been accidentally or unlawfully:
- lost
- destroyed
- changed
- accessed
This could happen if someone:
- loses a computer that contains personal data
- sends personal data to the wrong person
- accesses data they are not authorised to
A data breach can be accidental or unlawful.
You should have a process in place so that everyone knows how to respond to a breach. This is known as a response plan.
If you need to report a breach to the Information Commissioner's Officer (ICO), you must do so within 72 hours of first finding out – even if this is outside working hours.
When to report a data breach
You don’t always have to report a data breach to the ICO.
You’ll need to assess each case individually and look at the potential negative consequences it could have on the person affected (the data subject).
It will depend on:
- how sure you are a breach has happened
- what level of risk the breach poses to data subjects
- what category of data has been breached (how sensitive it is)
If you decide the breach is unlikely to result in a risk to people, you don’t need to report it.
For example, if contact details are accidentally deleted but the information did not include passwords or financial data, you may decide not to report it.
You’ll still need to keep a record of details of the breach and why:
- you chose not to report it
- you thought it did not pose a significant risk to the data subject
You should report to the ICO if the potential impact on people would include a risk to their rights and freedoms. For example, it could result in:
- emotional or physical distress
- financial loss
- loss of reputation
- other emotional or social disadvantages
You could be fined up to 2% of your global turnover if you don’t report a breach when you should and a further 4% for the breach itself.
How to report a breach
You can report a breach to the ICO online or by phone.
Read their guidance on reporting a data breach.
When you also need to tell the people affected
If you decide that there’s likely to be a high risk to the people affected, you’ll need to tell the data subject as soon as possible as well as the ICO.
This will give them a chance to protect themselves from any negative impacts.
This also applies if the information contains sensitive (special category) data or data on criminal convictions.
Sensitive personal data could be, for example:
- political opinion
- religious beliefs
- health
- sex life or orientation
It’s considered high risk because it could lead to:
- discrimination
- identity theft or fraud
- financial loss
- damage to reputation
When you tell data subjects about the breach you should write in a way they can easily understand.
Read the ICO's guidance on what to tell people affected by a data breach.
Recording a data breach
You should keep your own record of all personal data breaches in an inventory or log.
It must contain:
- the facts about the breach
- the effects of the breach
- action taken