Use this page to report one of the following types of breach to the ICO:

DPA security breach

Under the Data Protection Act, although there is no legal obligation on data controllers to report breaches of security, many choose to do so and we believe that serious breaches should be reported to the ICO.

Notification of personal data breaches will become mandatory when the General Data Protection Regulation comes into force from 25 May 2018.

Report a data security breach (DPA)

PECR security breach (for telecoms and internet service providers)

Under the Privacy and Electronic Communications Regulations (PECR), organisations who provide a service allowing members of the public to send electronic messages (eg telecoms providers or internet service providers) are required to notify us if a personal data breach occurs.

 Report a data security breach (PECR)

Unlawful use of personal data breach (section 55)

Use this form to report that data has been unlawfully obtained or accessed (a breach of section 55 of the Data Protection Act) to the ICO. 

Report a S55 breach