The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Start again
  • 1. A personal data breach (PDB) can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. Have you determined whether a PDB has occurred?

    Yes

    Change this answer
  • 2. Making your own assessment, does the breach involve the personal data of living individuals?

    Yes

    Change this answer

3. Following your own assessment, is there likely to be a high risk to individuals’ rights and freedoms?

You will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher.

The Article 29 Working Party says that "This risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached".

To help you assess the severity of a breach we have selected examples taken from various breaches reported to the ICO. These also include helpful advice about next steps to take or things to think about. This link will open in a new browser tab.