Self-assessment for data breaches
-
1. A personal data breach (PDB) can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. Have you determined whether a PDB has occurred?
Yes
-
2. Making your own assessment, does the breach involve the personal data of living individuals?
Yes
-
3. Following your own assessment, is there likely to be a high risk to individuals’ rights and freedoms?
No
-
4. How likely is it that the breach will result in a risk to individuals?
Likely
It's likely that the breach will result in a risk to individuals
As you’ve made an assessment that it is likely there will be a risk then you must notify the ICO. This must be done within 72 hours of becoming aware of the breach.
Unless you can’t access your system, you should report online.
If you need urgent advice about how to manage the breach, ring our helpline on 0303 123 1113. We’re usually open Monday to Friday from 9am until 5pm.
Health and care organisations in England should report breaches using the Data Security and Protection Incident Reporting tool. For guidance on how to use the tool, see the toolkit help pages.