The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Assessing and reporting breaches

You have procedures to assess all security incidents and then report relevant breaches to the ICO within the statutory time frame.

Ways to meet our expectations:

  • You have a procedure to assess the likelihood and severity of the risk to individuals as a result of a personal data breach.
  • You have a procedure to notify the ICO of a breach within 72 hours of becoming aware of it (even when all the information is not yet available) and you notify the ICO on time.
  • The procedure includes details of what information must be given to the ICO about the breach.
  • If you consider it unnecessary to report a breach, you document the reasons why your organisation considers the breach unlikely to result in a risk to the rights and freedoms of individuals.

Can you answer yes to the following questions?

  • Are staff aware of the policies and procedures and are they easy to find?
  • Do staff understand how to conduct the risk assessment?
  • Do they know when a breach needs to be reported to the ICO?