What is an accidental personal information breach?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
You are responsible for complying with your obligations under the UK GDPR and Data Protection Act 2018 (DPA 2018) and, where relevant, other information rights legislation, including the Freedom of Information Act 2000 (FOIA). Whilst we make every effort to make sure this guidance is accurate at the time of publication (31 July 2025), we make no guarantees or representations that it will remain up-to-date or ensure compliance. Where appropriate, seek further guidance or advice before disclosing information in the specific circumstances. If you would like to suggest improvements to this guidance, please leave us feedback.
What is a personal information breach?
A personal information breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information.
What is an accidental personal information breach?
Accidental breaches occur whenever you accidentally disclose personal information to someone who is not authorised to see it. For example, you might:
- do something you didn’t intend to do (eg sending an email to the wrong person);
- forget to follow an important step in a process; or
- fail to do something properly because you haven’t been trained.
These types of breaches are different from deliberate actions, whether internal (eg staff not following rules to get something done more quickly) or external (eg phishing or malware attacks).
What do we do if there is a breach?
Although this guidance will help you to consider how to avoid accidental breaches, there will always be some risk when working with people. If there is a breach, seek internal advice and contact us if you need further help.
If there is a breach, you must:
- record the details of the breach (regardless of whether you need to report it to us), including the facts of the breach, its effects and the remedial action you’ve taken;
- report the breach to us without undue delay, and, where possible, within 72 hours of becoming aware of it, where the breach is likely to cause a risk to someone’s rights and freedoms; and
- tell the person or people affected about the breach without undue delay, if the risk is high.
You should:
- act promptly to contain the breach;
- assess the risk;
- take initial appropriate action. Follow relevant internal policies and procedures to help you respond effectively; and
- investigate what happened and take further appropriate action to avoid future occurrences.
Further reading – ICO guidance
- Security, including cyber security
- Email and security
- Personal data breaches: a guide
- Report a breach
External guidance