Skip to main content
Home

Further information

Contents

Can an organisation share my information without my consent? 

Yes, organisations can lawfully share your information without relying on your consent. They can do this if they have a valid reason. These reasons are known as a lawful basis, and there are six lawful bases organisations can use.

Further reading

Does an organisation need my consent?

Does the organisation need to inform me if my information has been compromised?

An organisation must inform you directly and as soon as possible, if the way they have handled your information is likely to significantly impact your livelihood or put you at risk of harm. However, there may be times when an organisation informs you that they’ve suffered a data breach in order to be open and transparent with you. This doesn’t always mean that you’re at risk of harm, just because your information has been compromised. 

Ultimately, it is for the organisation to judge whether they need to inform you if you’ve been impacted. They should always report this to us.

When should an organisation report a data breach to the ICO? 

Organisations do not need to report all data breaches to us.

If the way an organisation has handled information will significantly impact your livelihood or cause you harm, then they must notify us as soon as they become aware of it. If a risk is unlikely, they do not need to report it.

Example

  • A hospital publishes the medical records of its patients on their website. This means that people’s sensitive health information is accessible to other people. This could result in harm due to the sensitivity of the information and therefore they need to tell patients about the breach.
  • A member of staff at a university has accidentally deleted a record of alumni contact details. The details are later re-created from a backup. This is unlikely to cause harm to those people so they don’t need to inform the about the breach.
  • A council has allowed a customer to access their ex-partner’s personal information, including their home address. The ex-partner is a survivor of domestic abuse. This could result in significant harm to the person so they should tell them about the breach.

Organisations need to record all incidents, regardless of whether they need to report them. They are required to document the facts about the breach, its effects and any action taken.  

If a breach meets the threshold for reporting, then organisations must report this to us as soon as possible and no later than 72 hours of becoming aware of it.

The 72 hour rule only applies to organisations reporting a breach and not to people who have been affected by a data breach who want to contact us. If you would like to raise a concern about a data breach with us, you can contact us to help you decide on your next steps and whether raising a complaint with us is right for you. 

We hold information about complaints and personal data breach reports for two years. This means that if an organisation does self-report their concern to us, and we receive your complaint over two years later, it may affect the outcomes we reach. Therefore, getting in touch early can help us to support you resolve the issue.