The UK GDPR on organisations to report certain personal data breaches to the Information Commissioner’s Office within 72 hours of becoming aware of the breach where feasible.
A personal data breach is defined by ICO as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Personal data breaches can be categorised into three main strands.
- Loss of confidentiality, where there is an unauthorised access to, or accidental disclosure of, personal data. This type of breach is most common with patients' records e.g. sending personal data to the wrong patient, staff members inappropriately accessing or sharing patient information or devices such as laptops containing patient data being stolen or lost.
- Loss of availability, where personal data becomes inaccessible or unavailable when needed. For example, the sort of problem that might arise after a cyberattack or system crash preventing access to and/or destroying records.
- Loss of integrity, where there is unauthorised or accidental alteration of personal data, for example, patient information being corrupted or modified due to IT errors or inadvertent errors by staff.
A data breach may involve all three categories, depending on the circumstances.
Reporting tools
If your Practice becomes aware of a data breach and you are unsure if the circumstances reach the threshold to be reported to the ICO, you can complete an online Self-assessment or call the ICO helpline on 0303 123 1113 to discuss if the breach needs to be reported.
If you do need to report a data breach to the Information Commissioner's Office (ICO). This can be done via the ICO’s website.
Breach notification must include:
- the nature of personal data breach including:
- the categories and the approximate number of individuals concerned
- categories and approximate number of personal data records concerned
- name and contact details of DPO or other contact point
- description of likely consequences of personal data breach
- description of measures taken or proposed to deal with personal data breach, including measures to mitigate possible adverse effects.
The UK GDPR states that you should inform the data subject if a breach is likely to result in a high risk to their rights and freedoms. This is a higher level of risk to one that triggers a notification to the ICO but may well be met when considering data that refers to a person's health. For example, accidentally disclosing patient records is likely to be considered a high risk to the rights and freedoms of patients, requiring you to inform the data subject.
This is because of the significant impact on the affected patients due to data sensitivity and the potential for confidential medical details to become known to others.
Failure to notify a breach to the ICO appropriately can result in an administrative fine much higher than fines for breaching the Data Protection Act 2018. This could be up to £8.7 million or 2% of your global turnover.
You should make sure all staff are aware of what constitutes a data breach, and that it is not just loss of personal data. You should also have robust procedures in place to detect, investigate and report breaches.
If there's an urgent security-related incident that requires immediate assistance and support, you can contact the Data Security Centre helpdesk on 0300 303 5222 or for general cyber operations queries email cybersecurity@nhs.net. Local incident management must still be carried out in the normal way.
GMC guidance on data breaches
In 'Good medical practice' (2024), the GMC says that you must be open and honest when things go wrong and explain fully and promptly what has happened. It would seem sensible to inform patients of any data breaches, even if it is not mandatory under the UK GDPR.
For more, read our guide on changes to GDPR and data protection laws.
This page was correct at publication on 29/04/2026. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.