Use this page to report one of the following types of breach to the ICO:
- a breach of the Data Protection Act (DPA);
- a Privacy and Electronic Communications Regulations (PECR) security breach by a telecoms or internet service provider; or
- the unlawful obtaining of personal data (known as a section 55 DPA breach).
Under the Data Protection Act (DPA), although there is no legal obligation on data controllers to report breaches of security, we believe that serious breaches should be reported to the ICO.
Under the Privacy and Electronic Communications Regulations (PECR), organisations who provide a service allowing members of the public to send electronic messages (eg telecoms providers or internet service providers) are required to notify us if a personal data breach occurs.