Use this page to report one of the following types of breach to the ICO:

DPA security breach

Under the Data Protection Act, although there is no legal obligation on data controllers to report breaches of security, many choose to do so and we believe that serious breaches should be reported to the ICO.

Examples of personal data breaches include, the loss of a USB stick, data being destroyed or sent to the wrong address, the theft of a laptop or hacking.

Find out more about how to report a data breach or call our dedicated personal data breach helpline. Our normal opening hours are Monday to Friday between 9am and 5pm.

Call us, 0303 123 1113

Breach reporting is changing under the GDPR

From 25 May 2018, mandatory breach notification is being introduced under the General Data Protection Regulation (the GDPR). For more details, please see the Personal data breaches page of our Guide to the GDPR.

PECR security breach (for telecoms and internet service providers)

Under the Privacy and Electronic Communications Regulations (PECR), organisations who provide a service allowing members of the public to send electronic messages (eg telecoms providers or internet service providers) are required to notify us if a personal data breach occurs.

 Report a data security breach (PECR)

Unlawful use of personal data breach (section 55)

Use this form to report that data has been unlawfully obtained or accessed (a breach of section 55 of the Data Protection Act) to the ICO. 

Report a S55 breach