Data subject type – the type of person affected by the breach - eg customers, employees or children. More details about these categories are given in Data subject type.
Data type – the category of data that has been compromised by the breach. This includes whether the data is special category data or data about criminal convictions. These data types are detailed in Data type.
Date incident reported - the date the breach was reported to the ICO. The data is published here by quarter and financial year, rather than by exact date.
Decision taken – the ICO determined that action was needed in response to the breach report. This action could be formal or informal. Details of the type of action possible are outlined in Decision taken.
Incident category – whether the incident was categorised as cyber or non-cyber. Described in detail in Incident categories.
Incident type – how the breach occurred and whether it was a deliberate act that led to the breach or an error. These are broken down and described in Incident types.
Number of data subjects affected – data subjects whose personal data has been impacted as a result of the breach. This does not include, for example, incorrect recipients of another individual’s data. At the time of reporting, it may not be known how many data subjects have been affected by a breach. Organisations are therefore advised to indicate the maximum number that may be affected. If all customers may be affected, organisations should state how many customers they have.
Sector – the type of organisation that reported the breach. These are not defined in detail as there are a number of inconsistencies in how these are used, particularly within the historic data. We are working on improving this and will revisit in future.
Time taken to report – how long in hours it took an organisation to report a breach after it had been discovered.