A personal data breach is a break in security, leading to the accidental or unlawful loss, destruction, alteration, unauthorised disclosure of, or access to, personal data. 

A personal data breach can include: 

• Access by an unauthorised third party
• A deliberate or accidental action (or inaction) by a controller or processor
• Sending personal data to an incorrect recipient
• Computing devices containing personal data being lost or stolen
• Alteration of personal data without permission
• Loss of availability of personal data

What breaches do the ICO need to be notified about? 

A data breach needs to be assessed to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it's likely that there will be a risk, then you must notify the ICO. If a breach is not reported, the organisation will need to be able to fully justify the decision, so it will need to be documented. 

In assessing the risks, it's important to focus on the potential negative consequences for individuals.

Timing of reporting a breach 

A breach must be reported to the ICO no later than 72 hours after the person becomes aware of the breach. If it takes longer, a reason must be given for the delay. 

What information must be provided to individuals when telling them about a breach? 

• The name and contact details of your data protection officer (if your organisation has one) or other contact points where more information can be obtained
• A description of the likely consequences of the personal data breach