Latest updates - last updated 1 November 2023
1 November 2023 - Data updated up to Q2 2023.
Incidents reported to us and what you can do to stay secure
This page contains information on data security breaches that have been reported to us. We publish this information to help organisations understand what to look out for and help them to take appropriate action.
Data security incidents occur when organisations do not have “appropriate technical or organisational measures” to protect the personal data they hold. This is a requirement of the UK General Data Protection Regulation (GDPR) under Principle (f): Integrity and confidentiality (security). They are a major concern for those affected and a key area of action for the ICO. Organisations are required to report breaches within 72 hours of discovery under Article 33 of the GDPR.
The figures reported here are based on the number of reports of personal data breaches received by the ICO up to Q2 2023. Please note that the data is presented in calendar years and quarters, following the Office for National Statistics style for non-financial data releases.
To view the dashboard in full screen, click the button in the bottom-right corner below.
Limitations in this release
There are some limitations to the data contained in this release. Notably:
- The data starts at Q2 2019 as incidents were recorded differently prior to this period.
- Categories and incident types are allocated by the ICO and are assigned as a best fit. In some cases multiple factors will have contributed to an incident but in those cases the most significant incident type or category is assigned.
- As with categories and incident types, the sector is allocated by the ICO and is assigned as a best fit.
- The way the ICO inputs data changes over time. This results in some discrepancies, so caution should be taken when drawing conclusions on changes in specific sectors, incident types or outcomes.
- The way we categorise incidents as cyber or non-cyber within the dashboard is currently under review. As noted above, caution should be taken when drawing conclusions from the split of incident category.
- Although the data can provide insights on the general trends of data security incidents, it should not be seen as a definitive source as it contains only the data security incidents that were discovered and then reported to the ICO.
- There may be some instances of inaccurate data, such as dates or number of data subjects affected. This could be due to human error or this data not being accurately reported by the organisation reporting the breach. Although we have tried to identify and correct historic errors, there may be some that have not been corrected. We are looking at ways to improve data quality moving forward.
- There are some occasions where the data recorded for a particular breach is incomplete. In these cases, the missing details are not included in the dashboard. Therefore, some sections of the dashboard may have less datapoints than others.
- Under specific circumstances some cases are transferred to a separate system for review. As a result, these cases, which may include some of the larger and more serious breaches, are not included within this data.
- The case management system needs both a date and time for when a breach was discovered. Where only a date and not time is provided by an organisation, the case handler will input midnight as the time a breach was discovered. This may mean that some breaches are labelled as being submitted outside the 72 hour window required even when they were reported on time.
- Data presented is generally based on the information provided when an organisation initially reports a breach. Any additional information provided as the case progresses is used to reach an outcome, but this is not added to this system. As such the information provided here should be viewed as a point in time reflection of the incident report.
- Some categories of data are presented as ranges. This is to guard against conclusions being drawn with spurious accuracy and to ensure we are only providing the information that is required for analysis to limit the instances where specific incidents can be identified.
- We changed our definitions of ‘informal action taken’ and ‘no further action’ in April 2021. This means there are far more cases recorded as ‘informal action taken’ since that date than before it, compared with ‘no further action cases’.
- In late 2019 we moved away from recording cases as ‘general business’, and tried to be more specific. This means it will look as though we received fewer of those cases from that sector, when instead we’ve just categorised the cases differently.
- There was a substantial drop in reporting in Q2 2020 which is likely a result of the first national UK coronavirus lockdown in 2020 (March 2020 to Jun 2020).
This dashboard has been produced as part of the ICO's commitment to responsible, proactive publishing of data. If you have any feedback or comments, please contact [email protected].
A downloadable version of the data contained within the dashboard is provided below along with some supporting documentation. Note: some reports hold multiple characteristics for some of the categories of data and as such appear on multiple rows – this may make it appear as if there are more breaches reported than is actually the case.