Skip to content

Data breach reporting requirements

6 April 2023

Data Breaches are defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a data breach is more than just losing personal data.


You must report data breaches on Halo as soon as you become aware of them. There is a strict requirement on us to notify reportable breaches to the Information Commissioner’s Office without undue delay and within 72 hours, the clock starts ticking for our data protection officer to make a report to the Information Commissioner’s Office as soon as we become aware of the data breach.

Delays in reporting breaches or suspected data breaches on Halo mean that there is less time to investigate these matters and take appropriate action to mitigate any harms which may be caused to the individuals affected.

Please ensure that any data breaches reported in Halo include an accurate summary of the personal data involved and the number of people affected. Remember to respond promptly to any further questions asked by your departmental information governance team and / or the access to information team in Legal Services.

Data breaches can have a significant detrimental impact on individuals and organisations, so please do all you can to enable us to respond efficiently and well within the reporting requirements.