GDPR: reporting data breaches

An unaddressed data breach can have a significant effect on individuals and result in heavy fines for those responsible.

A personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

Personal data breaches can be categorised into:

  • confidentiality breach, where there is an unauthorised or accidental disclosure of or access to personal data. This type of breach is most common with patients' records.
  • availability breach, where there is an accidental or loss of access to or destruction of personal data. For example, the sort of problem that might arise after a cyberattack that prevented access to and/or destroyed records.
  • integrity breach, where there is unauthorised or accidental alteration of personal data.

A data breach may involve all three categories, depending on the circumstances.

Reporting tools

You must report a data breach to the Information Commissioner's Office (ICO) using either the Data Security and Protection Reporting Tool in England, or the ICO breach reporting tool in Scotland, Wales and Northern Ireland if it is likely to result in a "risk to the rights and freedoms of individuals". You can also take a self-assessment to determine whether you need to report to the ICO.

These reports must be made without undue delay, and no later than 72 hours after you become aware of the breach.

Breach notification must include:

  • the nature of personal data breach including:
    • the categories and approximate number of individuals concerned
    • categories and approximate number of personal data records concerned
  • name and contact details of DPO or other contact point
  • description of likely consequences of personal data breach
  • description of measures taken or proposed to deal with personal data breach, including measures to mitigate possible adverse effects.

The UK GDPR states that you should inform the data subject if a breach is likely to result in a high risk to their rights and freedoms. This is a higher level of risk to one that triggers a notification to the ICO but may well be met when considering data that refers to a person's health. For example, accidentally disclosing patient records is likely to be considered a high risk to the rights and freedoms of patients, requiring you to inform the data subject.

This is because of the significant impact on the affected patients due to data sensitivity and the potential for confidential medical details to become known to others.

Failure to notify a breach to the ICO appropriately can result in an administrative fine much higher than fines for breaching the Data Protection Act 2018. This could be up to £8.7 million or 2% of your global turnover.

You should make sure all staff are aware of what constitutes a data breach, and that it is not just loss of personal data. You should also have robust procedures in place to detect, investigate and report breaches.

If there's an urgent security-related incident that requires immediate assistance and support, you can contact the Data Security Centre helpdesk on 0300 303 5222 or Local incident management must still be carried out in the normal way.

GMC guidance on data breaches

In 'Good medical practice' (2024), the GMC says that you must be open and honest when things go wrong and explain fully and promptly what has happened. It would seem sensible to inform patients of any data breaches, even if it is not mandatory under the UK GDPR.

For more, read our guide on changes to GDPR and data protection laws.

This page was correct at publication on 30/01/2024. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.