skip to primary navigationskip to content

Personal Data Breaches

Data protection legislation requires organisations to investigate all security incidents suspected of involving personal data and to report confirmed personal data breaches to the Data Protection Officer (DPO) within 72 hours of becoming aware of the breach.

Breaches representing significant risk of harm to individuals' rights and freedoms will need to be reported to the ICO and security/law enforcement services, where a criminal element is involved.  This too should be completed with the 72-hour timeline, or as soon as practicable provided there is a valid justification for the delay.

The Office of Intercollegiate Services has produced the following template and accompanying guidance to assist Colleges in completing their initial assessment of a potential incident - and reporting it to the DPO - within the statutory timeline:

Organisations are required to keep a record of all their personal data breaches, even those that do not need to be reported to the ICO. The DPIR forms act as the internal record for both the Colleges and their DPO.


External Resources

The Information Commissioner's Office (ICO) reviews its guidance on data protection legislation and other privacy laws regularly. These guides and a raft of resources and support materials are available on their website: