Why is it important to protect personal information and why might accidental breaches happen?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
You are responsible for complying with your obligations under the UK GDPR and Data Protection Act 2018 (DPA 2018) and, where relevant, other information rights legislation, including the Freedom of Information Act 2000 (FOIA). Whilst we make every effort to make sure this guidance is accurate at the time of publication (31 July 2025), we make no guarantees or representations that it will remain up-to-date or ensure compliance. Where appropriate, seek further guidance or advice before disclosing information in the specific circumstances. If you would like to suggest improvements to this guidance, please leave us feedback.
Why is it important to protect personal information?
A personal information breach may impact people’s lives in very different ways, depending on the circumstances. It may cause inconvenience, embarrassment or emotional distress. In more serious cases, it may create risks to a person’s fundamental rights and freedoms, in which case you must report the breach to us. For example, there may be a risk of:
- loss of control over personal information;
- reputational damage;
- discrimination;
- identity theft or fraud;
- financial loss;
- loss of confidence; or
- physical harm.
In the worst cases, a breach may cause substantial and long-lasting harm. Where there is a high risk to someone’s rights and freedoms, you must also tell the person or people affected about the breach (see What do we do if there is a breach?).
Why is it important to show people you protect their personal information?
A breach may damage your reputation and affect the trust and confidence people have in your organisation. On the other hand, showing people you have high standards for data protection enhances your reputation and will help you to secure the public’s trust and confidence.
The steps you take to protect people’s personal information, including responding swiftly, appropriately and empathetically to any breaches, is a crucial part of sustaining people’s trust and confidence. It demonstrates clearly that you understand and care about the harmful impact a breach may have.
Why might accidental breaches happen?
People might be more likely to make mistakes if one or more factors are present. These may concern your organisation, a specific job or task, or employee (and potentially a combination of all three). Examples of these factors include:
- poor communication about internal policies and procedures;
- lack of regular training;
- inadequate resources;
- challenging workloads;
- time pressure; or
- employee fatigue and stress.
Why is it important to consider the circumstances of an accidental breach?
You should consider:
- the circumstances of an accidental breach, including its nature and who it affects, so that you can act promptly to contain it, assess the risks and report it, where required (see What do we do if there is a breach?); and
- why a breach or a ‘near miss’ happened to help you take appropriate steps to avoid future occurrences.
You could consider the type of error involved (see What is an accidental personal information breach?) to help you identify the most effective response. Options you could consider include:
- training
- using a checklist;
- implementing a cross-check (peer review) process of important tasks; or
- adjusting IT settings to provide reminders or prompts, where possible.
You could also consider factors that might have contributed to a breach. This may also help you consider appropriate steps to reduce the risk of future breaches. If you simply label a breach as ‘human error’ without more investigation, you may miss important opportunities to learn from what happened.
Further reading
- ICO guidance
- External guidance