A personal data breach happens when data has been accidentally or unlawfully:
- lost
- destroyed
- changed
- accessed
This could happen, for example, if someone:
- loses a computer that contains personal data
- sends personal data to the wrong person
- accesses data they are not authorised to
You can read more about what a personal data breach is on the ICO website.
A data breach can be accidental or unlawful.
You should have a process in place so that everyone knows how to respond to a breach. This is known as a response plan.
If you need to report a breach to the ICO, you must do so within 72 hours of first finding out – even if this is outside working hours.
How to report a data breach
Report a data breach to the ICO by phone or online
When to report a data breach
You don’t always have to report a data breach to the ICO. You’ll need to assess each case individually and look at the potential negative consequences it could have on the person affected – the data subject.
It will depend on:
- how sure you are a breach has happened
- what level of risk the breach poses to data subjects
- what category of data has been breached (how sensitive it is)
When there’s no need to report
If you decide the breach is unlikely to result in a risk to people, you don’t need to report it. This might be, for example, if contact details are accidentally deleted but the information did not include passwords or financial data.
You’ll still need to keep a record of details of the breach and why:
- you chose not to report it
- you thought it did not pose a significant risk to the data subject
When you need to report to the ICO
You should report to the ICO if the potential impact on people would include a risk to their rights and freedoms. For example, it could result in:
- emotional or physical distress
- financial loss
- loss of reputation
- other emotional or social disadvantages
When you also need to tell the people affected
If you decide that there’s likely to be a high risk to the people affected you’ll need to tell the data subject as soon as possible as well as the ICO. This will give them a chance to protect themselves from any negative impacts.
This will also be the case if the information contains sensitive (special category) personal data or data on criminal convictions.
Sensitive personal data could be, for example:
- political opinion
- religious beliefs
- health
- sex life or orientation
It’s considered high risk because it could lead to:
- discrimination
- identity theft or fraud
- financial loss
- damage to reputation
When you tell data subjects about the breach you should write in a way they can easily understand.
Read the ICO’s guidance on what to tell the people affected
You could be fined up to 2% of your global turnover if you don’t report a breach when you should and a further 4% for the breach itself.
Recording a data breach
You should keep your own record of all personal data breaches in an inventory or log. It must contain:
- the facts about the breach
- the effects of the breach
- action taken