Use this page to report one of the following types of breach to the ICO:
- a breach of the Data Protection Act (DPA);
- a Privacy and Electronic Communications Regulations (PECR) security breach by a telecoms or internet service provider; or
- the unlawful obtaining of personal data (known as a section 55 DPA breach).
Under the Data Protection Act, although there is no legal obligation on data controllers to report breaches of security, many choose to do so and we believe that serious breaches should be reported to the ICO.
Notification of personal data breaches will become mandatory when the General Data Protection Regulation comes into force from 25 May 2018.