The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Data breach reporting

Share

How do I report a breach?

If your organisation has experienced a data breach our personal data breach helpline staff can offer you advice about what to do next, including how to contain it and how to stop it happening again. We can also offer advice about whether you need to tell the data subjects involved.

If you have an impairment and might need a service adjustment, please let us know.

Self-assessment

Take our self-assessment to help determine whether your organisation needs to report to the ICO. (If you have already completed the self-assessment, continue to read this page.)

Self-assessment

To report a breach, call our helpline. Our normal opening hours are Monday to Friday between 9am and 5pm. When you call we will record the breach and give you advice about what to do next. If you would like to report a breach outside of these hours, you can report online. Unless you can’t access your system, you should report cyber incidents online. For more information about how we use your personal information, see our privacy notice.

 Call us on 0303 123 1113.

What information will I need to provide?

When you phone, we'll ask you questions about:

  • what has happened;
  • when and how you found out about the breach;
  • the people that have been or may be affected by the breach;
  • what you are doing as a result of the breach; and
  • who we should contact if we need more information and who else you have told.

You should ensure the information provided is accurate and supply us with as much detail as possible. We'll send you a copy of the information you give us. 

Can I report a breach online?

If you have experienced a data breach and need to report it to the ICO but you’re confident you have dealt with it appropriately, you may prefer to report it online. You may also want to report a breach online if you are still investigating and will be able to provide more information at a later date. The online form can also be used to report breaches outside our normal opening hours. Unless you can’t access your system, you should report cyber incidents online.

Personal data breach reporting form (Right click on the link and select 'Save Link As' or 'Save Target as' to download the form before you begin to edit it.)

Ffurflen hysbysu toriad diogelwch data (Cliciwch dde ar y ddolen a dewiswch 'Save Link As' neu 'Save Target As' i lawrwytho'r ffurflen cyn cychwyn.)

If you are reporting online please make sure you include the telephone number of someone familiar with the breach, in case we need to follow up with you about any of the information provided.

We have also created a guide to help you complete the personal data breach reporting form. Right click on the link and select 'Save Link As' or 'Save Target as' to download the guide.

If you are unsure about any of the questions within the form, or if have any concerns about how to manage the breach please call us on 0303 123 1113.

Health sector breaches in England

Health and care organisations should report breaches using the Data Security and Protection Incident Reporting tool. For guidance on how to use the tool, see the toolkit help pages.

Heath sector breaches in Wales

A guide to assist Information Governance professionals across NHS Wales organisations on categorising and notification requirements for personal data breaches is available on the NHS Wales website.

What's next?

When reporting a breach, you should give as much detail as possible and be as accurate as you can. We will use the information you provide to decide what should happen next.

We may use it to take regulatory action, or to identify data security incident trends.

Where appropriate, we may share it with law and cybercrime agencies or other regulators. We may also share information with other regulators, such as the Financial Conduct Authority. Where an incident is relevant to another country, we may also share the information with appropriate regulatory representatives in that country. Let us know if you’d like more information about this.

For more about how we use your information, see our privacy notice.

Cyber incidents

Where a significant cyber incident occurs, you may also need to report this to the National Cyber Security Centre (the NCSC). To help you decide, you should read the NCSC ‘s guidance about their role and the type of incidents that you should consider reporting.

Incidents that are not considered significant and those that might lead to a heightened risk of individuals being affected by fraud, should be reported to Action Fraud – the UK’s national fraud and cybercrime reporting centre. If your organisation is in Scotland, then reports should be made to Police Scotland.

Where appropriate, the ICO may liaise with the above organisations in relation to the incidents reported to us. However, it is your responsibility to ensure all relevant authorities are made aware of an incident.