Use this page to report one of the following types of breach to the ICO:
- a breach of the Data Protection Act (DPA);
- a Privacy and Electronic Communications Regulations (PECR) security breach by a telecoms or internet service provider; or
- the unlawful obtaining of personal data (known as a section 55 DPA breach).
Under the Data Protection Act, although there is no legal obligation on data controllers to report breaches of security, many choose to do so and we believe that serious breaches should be reported to the ICO.
Examples of personal data breaches include, the loss of a USB stick, data being destroyed or sent to the wrong address, the theft of a laptop or hacking.
Find out more about how to report a data breach or call our dedicated personal data breach helpline. Our normal opening hours are Monday to Friday between 9am and 5pm.
Breach reporting is changing under the GDPR
From 25 May 2018, mandatory breach notification is being introduced under the General Data Protection Regulation (the GDPR). For more details, please see the Personal data breaches page of our Guide to the GDPR.
Under the Privacy and Electronic Communications Regulations (PECR), organisations who provide a service allowing members of the public to send electronic messages (eg telecoms providers or internet service providers) are required to notify us if a personal data breach occurs.