Skip to content

Data breaches

We are aware of a significant increase in the amount of personal data breaches which have been caused by the failure to remove personal data from templates or shared documents. 


The data breach team recently notified the Information Commissioner's Office (ICO) of a serious incident where another individual's special category data was left in a template document which was then sent to a third party. There are serious concerns that the recipient will attempt to locate the third party based on the information disclosed and the department concerned have needed to take urgent action as a result.

It's extremely important that all data breaches are reported as soon as possible. We only have 72 hours to inform the ICO of serious incidents and even less to notify our insurers. All data breaches must be reported on Halo.

Report a security incident

Ensure you include any information you think will assist the data breach team and data protection in assessing the level of risk to the individuals connected with the incident. It's important to give an honest account of what has happened.

If we fail to notify the ICO of all notifiable breaches this can result in a heavy fine of up to £8.7 million. This can be combined with the ICO's other corrective powers under Article 58 of the General Data Protection Regulation (GDPR), such as:

  • the carrying out of data protection audits
  • to carry out reviews of certifications (plus other powers concerning certifications)
  • to issue warnings and reprimands to a controller or processor where processing has or is likely to infringe the regulations to order the controller or processor to comply with the data subjects request to exercise their rights under the GDPR
  • to order the controller or processor to bring processing operations into compliance with the GDPR, where appropriate, in a specified manner and within a specified period
  • to order the rectification or erasure of personal data or restriction of processing and the notification of such actions to recipients to whom the personal data has been disclosed
  • to impose an administrative fine

Avoiding data breaches

The data breach team have devised their top tips for avoiding data breaches:

Double check all email addresses and attachments before sending correspondence

If you’re sending sensitive data via email consider asking a colleague to check the recipient's address and details for you.

When using template documents ensure that a blank template is used at all times

Do not save or leave a template with personal information included on it. Highlight areas where personal information is entered on a template in a different colour.

Ensure you use the blind carbon copy (Bcc) function when sending emails to multiple external email addresses

This is particularly important when scheduling meetings with service users and professionals on Microsoft Teams.

Use the 'secure' and 'encrypted' functions when sending sensitive and personal information in Outlook

The encrypted feature is particularly useful when you don't trust the recipient's email provider to be secure. Familiarise yourself with our secure email policy for further advice and context.

Ensure that information governance training is completed annually

If you feel you need to refresh your knowledge then re-complete the training or read our internal policy and procedure documents.

Regularly remove email addresses from your auto-complete list

You can disable the auto-complete function completely. Learn how to manage suggested recipients in the To, Cc, and Bcc boxes with auto-complete.

Do not click on any suspicious or unusual emails

These could be phishing emails which may lead to a cyber-attack. If feel you've received a phishing email then raise a security incident on Halo.

Take the same approach to working from home the same way you would if working in the office

Many of us continue to work from home. Make sure you take the same approach to working from home the same way you would if working in the office. Our obligations and responsibilities remain the same regardless of the change of scenery.

Don't use your inbox as your own personal storage system

File emails securely onto EDRM, case management system(s) or into organised folder structures on network drives.

Get a second pair of eyes

Just because we aren't sat in the office with colleagues doesn't mean we can't ask for their help. If you need a second opinion then ask for one. Working from home doesn't mean you're on your own.

Returning to work

When we do begin to return to the office, remember not to leave documents and equipment in team zones, communal areas or on hot desks unsupervised. Never leave your work in your vehicle overnight. Store documents securely at home or in the office.