This policy recognises that Surfers Not Street Children has a duty to protect the personal information of staff, volunteers, donors and contacts it is responsible for.

Download here

Surfers Not Street Children understands that it is the custodian of personal information. Surfers Not Street Children recognises the importance of handling personal information securely and appropriately.

    1. Purpose and objective

This Data Protection Policy defines

  • how personal data will be handled in order that it remain confidential, maintains its integrity and is available when needed.

  • how Surfers Not Street Children will meet its obligations as a Data Controller under the Data Protection Act 1998.

This policy will enable Surfers Not Street Children to demonstrate

  • recognition of how important the management of personal information is;

  • that reasonable steps are being taken to meet legitimate expectations of confidentiality and privacy, and to reduce the risk of substantial distress or financial damage being caused to individuals where Surfers Not Street Children handles their personal information;

  • good governance with regards to the handling of personal data and sensitive personal data, to reduce the risk of damage to Surfers Not Street Children’s reputation and the goodwill and trust individuals have in Surfers Not Street Children;

  • how Surfers Not Street Children will achieve compliance with the data protection principles – by defining what is authorised and lawful so those who handle personal data when working for Surfers Not Street Children will know what is expected of them and where to go for further guidance.

    1. Scope

This policy outlines how Surfers Not Street Children will ensure compliance with the Data Protection Act 1998 and related statutory instruments.

The policy applies to all staff and volunteers who access or use personal data that Surfers Not Street Children is responsible for as a Data Controller.

    1. Commitment on the handling of personal data

Surfers Not Street Children commits to ensuring that personal data is protected from the loss of confidentiality, integrity and availability and at the same time managed so that it can be used to provide services in an efficient and effective manner.

Protect from loss of

Intended outcome of policy


Personal information is accessible only to authorised individuals.


There are safeguards to ensure the accuracy and completeness of personal information and processing methods.


Authorised staff have access to relevant information when required.

The Surfers Not Street Children Director will review and ensure compliance with this policy and will provide updates to the trustees on an annual basis.

    1. Purpose for which Surfers Not Street Children uses data

Surfers Not Street Children’s stated purpose for which data is used is as follows:

Surfers Not Street Children manages the data and will use it to supply information to you about the work and events and ministry of Surfers Not Street Children (and of other organisations which Surfers Not Street Children partners with, where appropriate), but it will not be passed to Surfers Not Street Children partners or other third parties.  You can opt out of receiving our communications at any stage you wish by changing your Personal Preferences electronically or by notifying the Surfers Not Street Children office.

    1. Review

Surfers Not Street Children will undertake to review this policy every 12 months. The policy will also be reviewed when necessary – for example, in the event of legislative or organisational change.

    1. Employment

This policy forms part of the Employment relationship Surfers Not Street Children has with its staff, and therefore forms part of the contractual and implied responsibilities employer and employee have together.

  1. What is ‘personal data’?

Personal data means information relating to a living individual who can be identified from the information, including any expression of opinion about the individual, or any intentions in respect to the individual. This can relate to a staff member, a personal supporter, or a ministry contact.

    1. Types of personal data

There are two types of personal data

    1. Standard personal data

This includes information like;

  1. Name

  2. Address

  3. Email

  4. Phone number

  5. Donation history

  6. Family member names

  7. Date of birth

  8. Date of birth of family members

    1. Sensitive personal data

This includes information like;

  1. Race or ethnic origin

  2. Political opinions

  3. Beliefs

  4. Health or sex life (including orientation)

  5. Trade union membership


  1. Data protection principles

The Data Protection Act has eight key principles. This policy is not intended to be a comprehensive explanation of the Data Protection Act, but for completeness the principle headings are listed here. The policies adopted within this policy document seek to apply these principles. They are included here for information and reference.

    1. Principle 1

Personal data shall be obtained lawfully and fairly.

    1. Principle 2

Personal data should be obtained for one or more specified lawful purpose, and shall not be used in any manner incompatible with that purpose or purposes.

    1. Principle 3

Personal data shall be adequate, relevant and not excessive in relation to the purpose for which they are used.

    1. Principle 4

Personal data shall be accurate and, where necessary, kept up to date.

    1. Principle 5

Personal data shall not be kept for longer than is necessary for the purpose it was initially collected.

    1. Principle 6

Personal data shall be used in accordance with the rights the individual pertained to the information has under the Data Protection Act.

    1. Principle 7

Appropriate technical and organisational measures shall be taken against unauthorised, unlawful use, accidental loss, or damage to personal data.

    1. Principle 8

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country ensures an adequate level of protection for the rights and freedoms of individuals the information pertains to.

  1. Using mobile devices (Laptops, tablets, phones, USB sticks) ‘B.Y.O.D – Bring Your Own Device’


    1. Overview

Some of our work takes places outside an office environment. Staff and volunteers all use mobile devices such as laptops, tablets, smartphones and USB sticks

The term that most organisations adopt when allowing staff to purchase their own equipment and use it for work purposes is BYOD, or Bring Your Own Device.

If the purchase price of the equipment is paid or reimbursed by Surfers Not Street Children then the device is owned by Surfers Not Street Children. If it has not been reimbursed then the equipment belongs to the individual staff member.

It’s important to highlight

  1. The personal data collected and stored on computing devices in relation to work with Surfers Not Street Children, irrespective of whether the equipment belongs to Surfers Not Street Children, is legally under the stewardship and responsibility of Surfers Not Street Children. This would include any list/database of our network and contacts.

  2. The equipment used is the responsibility of the staff member to maintain and support.


    1. Risks of using mobile devices

A staff member must be aware of the following risks when using their own devices.

  1. Unauthorised access. E.g. someone other than the staff member could access the device – a thief or family member.

  2. Unlawful processing. E.g. the use of the personal data by the staff member for a non-Surfers Not Street Children related purpose. The law says we cannot use the information we collect, for purposes other than it was collected for in the first place.

  3. Accidental loss. E.g. the data on your device is lost, or stolen.

  4. Accidental damage. E.g. you might only have one copy of a database that gets corrupted meaning the information cannot be retrieved.

  5. Accidental deletion. E.g. you may accidentally delete the information.


    1. Policy

Surfers Not Street Children allows staff and volunteers to use their own devices when accessing personal data.

In light of the risks the staff member and volunteers, are responsible for the following.

  1. Ensure up-to-date virus and malware protection is installed on the device.

  2. Ensure personal data is backed up regularly, either in their Surfers Not Street Children Soonr account, the Mailchimp database, or another secure cloud storage facility. See Backup procedures later in this policy.

  3. The equipment containing the personal data is kept in sight at all times, or locked and secure. This includes not letting a non-staff member borrow the equipment as this means the information is no longer secure.

  4. In light of the fact USB sticks are easy to lose, the storing of personal data on USB sticks is prohibited, unless the USB stick is encrypted.

  5. Laptops will be password protected.

  6. Where there are more than 300 names, and personal details, relating to Surfers Not Street Children contacts on the device, then the device will be encrypted.


  1. Cloud Storage

    1. Overview

Surfers Not Street Children provide staff with cloud storage through their secure Soonr account.


If a staff member wishes to store personal data in an alternative cloud storage facility they are to ensure the following.

  1. Password – Follow the password policy in Section 6.2.

  2. Turning on two-factor authentication is strongly recommended.


  1. Passwords

    1. Overview

Simple passwords can be easily guessed and If the same password is used for every website account a staff member uses, all their ‘digital’ life is accessible for hacking.

If a low security website is hacked, the hacker can use the same login/password information for more secure websites.

    1. Policy

Where personal data is stored the staff member needs to apply the following password policy.

  1. Be a minimum of seven characters long.

  2. Be a mixture of uppercase, lowercase characters and numbers.

  3. Not include real names. This includes names of spouse, children or pets.

  4. Not include any part of the login name. i.e. if the account login is fredbloggs the password should not be Fredbloggs1.


Many staff will have multiple online accounts each with different logins and passwords. It is tempting to have the same password for each of these accounts. The danger is if a particular website is compromised and passwords are stolen, this gives the thief access to all accounts with the same password. It is good practice to have different passwords for different accounts. A recommendation is password manager software like 1Password (https://agilebits.com/onepassword). This enables a staff member to store multiple account details in one place, making it more manageable to use different passwords on different accounts.


  1. Being open with people on how we are using their personal data. ‘Fair Processing (Privacy) Notice’


    1. Overview

Surfers Not Street Children has a duty to ensure that our network and contacts are informed about what will happen to their personal information. If personal information is not sensitive the need for explicit consent is reduced.

In relation to personal information, Surfers Not Street Children must

  1. Be open with our network and contacts about where personal information is stored, and be clear that it will only be used for purposes for which it was given.

  2. For Surfers Not Street Children Event Response cards, or similar information collection devices, a brief sentence will be included saying the data will be stored and processed by Surfers Not Street Children, and that we will not pass on details to a third party.

Example: “Please note that in receiving your details, we recognise our legal duties to store and protect data in accordance with the Data Protection Act 1998. Your details are managed by Surfers Not Street Children. We will not pass your details to any third parties.”


  1. Office 365, acceptable use


    1. Use of Email Accounts

Surfers Not Street Children provides an email system to support its activities. Access to this system is granted to staff and office volunteers on this basis.

Non-Surfers Not Street Children email accounts must NOT be used by staff or volunteers in their Surfers Not Street Children work i.e. information should not be or sent from, a non-Surfers Not Street Children email address or emailed by staff or volunteers to their own non-Surfers Not Street Children email address.   


  1. Clear desk, clear screen and secure waste

    1. Overview

It is recognised that, whether working at a permanent desk or temporary table in a coffee shop, information displayed on our screens or on a paper notepad may be visible to others. Printouts of personal data can also be seen by others.

    1. Policy

  1. When working with personal data a staff member must be aware of their environment to ensure no one is eavesdropping or overlooking them.

  2. When working in the office, and you need to leave your desk, we recommend you ‘lock’ your computer screen so no one can start using your computer.

  3. When working in the office be aware of the paper on your desk. If someone were to stand over your desk would they get access to information they shouldn’t have? This applies to other staff members, visitors, and any intruder. There is a clear desk policy in place.

  4. Dispose of paper with personal data on it securely. Do not just put it in your paper recycling. Shred it first.


  1. Sharing personal information with other people/organisations

    1. Overview

Working in partnership with other organisations is an important part of Surfers Not Street Children’s work.

    1. Policy

However, under NO circumstances will personal data be shared with an external organisation without the prior CONSENT of the person whose data it belongs to. Staff must NOT share first and seek permission later.


  1. Social media

    1. Overview

Social media is an important part of Surfers Not Street Children’s work and is encouraged to help fulfil Surfers Not Street Children’s aims and objectives. However, when using social media it can be incredibly easy unintentionally to share personal information. Doing so would represent a breach of our requirements in law.

    1. Policy

  1. Staff must not allow their engagement with social media to harm working relationships with or between staff, the network or other contacts.

  2. Staff must not use social media as a method of publicly disclosing personal information about staff, the network or other contacts.

Staff must also be aware of their own personal online security when using social media. Staff should take appropriate steps to reduce the risk of

  1. identity theft – by using any available privacy settings to ensure that access to their account is limited

  2. their other online accounts being compromised – by not posting passwords, or any personal information that has been used as a password (or part of a password) such as birthdays, place of birth, names of spouse, children and/or pet.


  1. Websites

    1. Overview

In addition to the main Surfers Not Street Children website (www.Surfers Not Street Children.org.uk) and the Surfers Not Street Children Mailchimp account, most ministry areas of Surfers Not Street Children will have a Facebook group page to help in connecting with a specific target audience. All websites will come under this policy.

    1. Policy

  1. Where ANY personal data is collected from a website, e.g. through a contact form, a privacy statement will be included on that website. This statement will give clear guidance to the reader on how that information is stored, and how it will be used, and what they can do to see a copy of the information stored on them.

  2. Payment processing will always be through a third party (e.g. PayPal) with a proven track record of secure payments.

  3. All domain names will be purchased through the office and centrally managed.  Should a website be hacked and content changed, the name can be redirected quickly to an alternative site.


  1. Credit Cards

    1. Policy

  1. Surfers Not Street Children will never store credit card information.

  2. Payment processing on Surfers Not Street Children websites will always be via a trusted third party e.g. PayPal.

  3. Credit card details received over the telephone to the Surfers Not Street Children office may temporarily be written down to receive a donation, but will be immediately shredded follow the successful completion of the transaction. This is always within the same day.


  1. Backup procedures

    1. Overview

Surfers Not Street Children recognises the importance of handling personal information appropriately – including maintaining the availability and integrity of information.

Surfers Not Street Children therefore ensures that steps are taken to back up personal information. In the event of accidental loss, damage or destruction of information, these steps will enable the information to be restored.

If a staff member is using an external hard drive to backup files then there must be some physical security around that drive. Remember that drive will contain personal data. Recommendations are to encrypt the drive, or not take it out of your home.


  1. Retention and deletion of personal data

Surfers Not Street Children recognises that personal data must not be kept for longer than necessary.

Staff members storing personal data locally on their own devices are responsible for

  1. keeping that information up-to-date; and

  2. deleting the information once it is not needed for the purpose(s) it was collected.


  1. When someone makes a request to see the information held on them: ‘Subject Access Request’


If a formal request has come from a member of a public asking for a copy of information that is kept on them this will be dealt with by the Director of Surfers Not Street Children or someone appropriately nominated by the Director. This is relevant to personal data stored on individual laptops, team file stores, and within the office.

A staff member is responsible for informing the Director immediately should this request be made to them.

The Operations Director in responding to the member of the public will check the following;

  1. The identity of the person making the request.

  2. The authority of the person to make the request.

  3. The request; there needs to be enough detail in the request to ensure we can actually supply the information being requested.

A payment of £10 can be taken from the member of the public, (paid to Surfers Not Street Children) if responding adequately to the request(s) requires a lot of time.

Refer to the appendix for checklist to follow for a ‘Subject Access Request’.


  1. How is personal data secured? ‘Access Control’

Certain areas of the computer system and paper files are restricted. Only those people who need access to information will have access to it.



Network Information

Access restricted to the Director and other people appropriately nominated by the Director.

Donor Information

Access restricted to the Chair of Trustees and other people appropriately nominated by the Chair of Trustees.

Employee Files

Access restricted to the Chair of Trustees, the Director and other people appropriately nominated by either of them.


Access restricted to the Chair of Trustees, the Director and other people appropriately nominated by either of them.  



Principle 7 of the Data Protection Act requires Surfers Not Street Children to ensure the personal data that is kept is appropriately secured so the people that don’t need to see the information can’t get to it. When allowing people to borrow your laptop, or tablet, remember that it will give them ability to access information they don’t need to see. You are responsible for protecting that personal data.


  1. Reporting accidental loss, or theft, of personal data

    1. Overview

If personal data has gone missing, is stolen, or corrupted, then the following process will take effect to ensure it is managed.

Under data protection legislation, significant breaches

    1. Staff and Official Volunteer responsibilities

It must be reported to the Director of Surfers Not Street Children if it is suspected that personal data may be missing, stolen, or open to those who shouldn’t have access. Common examples include is a laptop left on a train, a lost USB storage drive, or a stolen phone.

Report the suspicion immediately: the sooner we know, the quicker we can take steps to manage the situation. Do not wait until the end of the day/week to mention anything.

    1. What will happen next?

  1. Do not panic.

  2. Contain the breach and recover:  The Director of Surfers Not Street Children along with the staff member in question will identify what personal data is involved and map out the extent of the breach. Then they will contain the breach, arranging for relevant passwords to be changed.

  3. Assess the risks: The risks will be assessed. Could the data breach harm individuals (e.g. through financial damage, emotional distress, physical damage)? Is the volume of information significant, in terms of number of records? Is the volume of information significant, in terms of amount of information on an individual? Is the personal information sensitive?

  4. Decide whether to report to the Information Commissioner’s Office: They will consider whether the incident needs to be reported to the Information Commissioner’s office.

  5. Letting people know: Communicate to the individual(s) affected and/or the Information Commissioner’s Office, as required.

  6. Learn lessons: Review the situation and learn any lessons, improving practices or amending this policy as necessary Once the above is done review the situation. Can lessons be learnt?

A thorough ‘Information Security Incident Checklist’ is provided in the Appendix, which will be followed in such times.


  1. Guides produced by the Information Commission’s Office

    1. Guide to Data Protection

As Surfers Not Street Children needs to comply with data protection legislation, it may be helpful to refer to the ICO’s guide for those who have day-to-day responsibility for data protection:  https://ico.org.uk/for-organisations/guide-to-data-protection/.

    1. Guide to Privacy and Electronic Communications Regulations

As Surfers Not Street Children sends out electronic marketing messages, it must also comply with the Privacy and Electronic Communication Regulations (“PECR”).  The PECR sit alongside the data protection legislation, giving specific privacy rights in relation to electronic communication. The ICO has produced a guide for organisations:  https://ico.org.uk/for-organisations/guide-to-pecr/.

In summary, under the PECR, the following are key considerations for Surfers Not Street Children (as derived from the above Guide):

  • The PECR are derived from European law, the e-privacy Directive.  They sit alongside the data protection legislation, giving people specific privacy rights in relation to electronic communications.  They give people specific statutory rights in relation to electronic communications.

  • Some of the PECR rules only apply to “service providers” that provide a public electronic communications network service, which of course Surfers Not Street Children does not; other rules apply even if you are not a service provider.

  • Electronic communications include emails.  “Direct marketing” is defined as “the communication (by whatever means) of any advertising or marketing material directed to particular individuals” (s11(3) Data Protection Act); this covers all advertising and promotional material including that promoting the aims of a not-for profit organisations, for example a charity.  So our Surfers Not Street Children emails are “direct marketing”.

  • Most of the rules of the PECR only apply to unsolicited marketing messages.  Our Surfers Not Street Children weekly emails are “unsolicited” within PECR: a solicited message is one that is actively requested i.e. where someone specifically asks us to provide particular information (and a solicited message can be provided without worrying about the PECR).  Even though someone has “opted in” to receiving marketing from Surfers Not Street Children, the message is still “unsolicited” because it has not been requested specifically. Any unsolicited message must comply with the PECR.

  • A person’s consent is often needed before sending them a marketing message.  The consent must be knowingly and freely given, clear and specific. (It is worth noting that consent must involve some sort of opt-in, or positive action e.g. ticking a box, clicking an icon, sending an email or subscribing to a service.) For Surfers Not Street Children, this will happen when the individual initially asks/agrees to go on our database.

  • There are tighter rules on “personal data breach” by a “service provider” under the PECR – effectively requiring notification within 24 hours every time there is a breach, whether or not it is significant.  However these do not apply to Surfers Not Street Children, as we are not a “service provider”. (A “data protection breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.)

  • So if there is breach, Surfers Not Street Children needs to comply (only) with the data protection legislation requirements, as set out in this Policy; essentially, the Information Commissioner wants to hear about serious data security breaches.


  1. Appendix


    1. Ten Point Checklist for Getting Started


  1. I am aware what personal data is. (Section 2)


  1. I am aware that personal data collected and stored by myself in relation to my work with Surfers Not Street Children comes under this policy. (Section 5)


  1. I am aware it is my responsibility to have a virus checker on my computer. (Section 4)


  1. I am aware it is my responsibility to back up personal data on my computer. (Section 4)


  1. I have given consideration to where I am storing personal data, i.e. Dropbox, local computer, Mailchimp, Office 365, and I have followed the password policy. (Section 6)


  1. I am aware that I have a duty to be open with people about what will happen to the personal data I collect. (Section 7)


  1. I will never share personal data outside of Surfers Not Street Children. I can contact the Director of Surfers Not Street Children in the office should I have a question. (Section 10)


  1. I have given consideration to any personal data I have and confirmed it is up to date. (Section 15)


  1. I am aware that if someone brings me a formal request to see the information Surfers Not Street Children holds on him or her I will immediately pass that request on to Director of Surfers Not Street Children. (Section 16)


  1. If I suspect that I have lost any device that contains personal data (e.g. laptop, phone, tablet or USB stick), I am aware of my responsibility immediately to inform the Director of Surfers Not Street Children. (Section 18)






    1. Subject Access Request Checklist


Step 1 – Validate the Request



Check identity



Are you satisfied that the person is who they say they are?


You can ask for sufficient information from the requester to enable you to confirm their identity. This is because you must only disclose personal information to the individual (or their representative – see 2. below)


Do not discuss a request, or whether you do or do not hold personal information, until you are satisfied of the requester’s identity. This is because even confirming that personal information is held could divulge information about someone.  



Check authority



Are you satisfied that the person has the authority to make a request on behalf of someone else?


This will be relevant when someone is (I) asking to see someone else’s personal information, or (ii) is explicitly claiming to make a request on behalf of someone else.

No individual has an automatic right under the Data Protection Act to request access to someone else’s personal information. However, someone can agree to a representative making a request for them (e.g. a parent for a child; a solicitor for their client; where there is power of attorney). You therefore need to check this agreement.  



Check request



Do you have enough information to locate what is being requested?


You can ask for sufficient detail from the requester to enable you to locate the personal information they are seeking. This is because people only have a right of access to their own personal information.  


If you have personal information for a number of people with the same name, you could ask for further details from the requester (e.g. date of birth) to distinguish them from the other people.  


If the request is for ‘all personal information’ you could ask whether any specific information might satisfy the request, so that could be processed first.




Check payment



Are you going to ask for £10 to process the request?  


You are entitled to charge £10 for processing a Subject Access Request and we may decide to do so if responding to the request requires a lot of time.


If so, have you received payment?


You do not have to start processing the request until you have received payment.



Step 2 – Locate the personal information


Electronic system name

Search undertaken


If no personal information has been located – document any possible rationale


Dates / range of dates













Employee consulted

Search undertaken


If no personal information has been located – document any possible rationale












Step 3 – Review the personal information  


Once the personal information subject to the request has been located, it must be reviewed.  


Review of Third Party Personal Information

The following should be considered for each piece of third party personal information:  

1. Can you disclose the personal information without disclosing information relating to, or identifying, anyone else?


Note: you should consider not only the information you are about to disclose, but also whether the information could be used with any other information you think the requester might have (or be able to get).




No / unsure


>> Include the third party personal information in the response.  

>> Continue to 6 >>

>> Continue to Q2 below >>

2. Are the third party’s details simply not part of the request?  


i.e. the third party’s name and information are unrelated to the requester. For example, on a list of attendees or list of names and addresses.  

Not part of the request


Are part of the request (or think they are)


>> Blank out / delete them from the response.  

>> Continue to 6 >>

>> Continue to Q3 below >>

It is not possible to separate the third party information from the personal information of the requester. Consider the questions below:

3. Can you consult the third party and ask for their consent?


Note: You must be sure that the requester is happy for you to approach the third party – i.e. because in doing so, you will be informing the third party that the requester has made a request (which in itself could be something the requester wants to keep private)





The requester did not want us to, or it is not possible (we do not know where they are) >> Continue to Q5


>> Continue to Q4 >>

4. Has the third party agreed that the personal information, which involves them, can be disclosed to the requester?


Keep a record of the third party’s decision – whether there is agreement, or what the rationale is for not providing consent.  


(or they are incapable of giving consent)




>> Continue to Q5


>> Include the third party personal information in the response.  

>> Continue to 6 >>


There isn’t a question 5!


6. Summary – Third Party Personal Information

Provide an explanation of the decision you reached.  Include references to where the third party personal information was located and the decision reached in each instance.

Document / file name

Location of the third party personal information












Review of possibly exempt personal information

Are there any other reasons for wanting to withhold some or all of the personal information subject to the request?

In general, the threshold for withholding personal information is high – you need a strong reason (or reasons) to justify withholding personal information from someone. For example, if you think that disclosure would be likely to harm a particular function or an individual, the ICO is clear that there should be a “substantial chance (rather than a mere risk) that complying with the [request] would noticeably damage the discharge of the function concerned.” Common reasons are outlined below:

a) Crime and taxation

Personal data processed for certain crime and taxation activities; these are:

  • the prevention or detection of crime;

  • the capture or prosecution of offenders; and

  • the assessment or collection of tax or duty.

b) Human Resource issues relating to the requester  

i.e. Confidential references / Management information / Negotiations  

c) Legal advice  

i.e. information subject to legal professional privilege

d) Social care

i.e. where providing access to information about social services, health or education would be likely to cause serious harm to the physical and/or mental health or condition of the requester or any other person.  

e) Health records

f) Education records



    1. Information Security Incident Checklist


Step 1 - Do not panic


Step 2 - Contain the breach and recover



Designate an ‘incident lead.’

This should be someone senior enough to ensure actions are taken and sufficient resources allocated.  





If the threat is ongoing

Take measures to stop the breach, or reduce the risk of a further breach occurring – for example, by changing passwords or access codes / closing an account / deploying patches.





If there has been a suspected or actual loss of information

Try and locate the information. Where possible, work with the individual who raised the issue and attempt to have the information returned.





If there has been damage to data

Initiate backup procedures.  



Issue holding statements to

Users – so they are aware of the need to be vigilant, both to locate lost information and recognise an attempt to use lost or stolen data to access service user account unlawfully.  

The individual who raise the issue / who may have received the information in error – so they are aware that the information was not intended for them, and should be returned.  





Where appropriate at this stage, issue holding statements to

The individual(s) affected – e.g. where the breach may affect life or death, or cause physical harm, or otherwise cause imminent substantial damage or distress.    

The media – e.g. where the individual who raised the issue / who may have received the information in error, or anyone else, is planning to approach the media directly.



Step 3 - Assess the risks. Deciding whether to report to the Information Commissioner’s Office (ICO)

The most important aspect to consider is the harm, or potential harm, to the individual’s whose personal information is subject to the incident. Consider the following questions:


1. Could the breach cause harm to individuals?

The ‘potential detriment’ (i.e. harm) to the individuals is the overriding concern.

· Is someone at risk of one or more of the following:

a) Financial damage  

e.g. fraud, theft

b) Emotional distress

e.g. the knowledge that their sensitive information might be accessed or misused by someone who has no need or right to access it

c) Physical damage

e.g. being targeted and attacked.

· Are there any controls in place that will reduce the potential impact?

e.g. Is there encryption in place? e.g. Is the information already publicly available?

· What has happened to the information?

e.g. deliberately stolen (high likelihood of misuse); opportunist theft (lower likelihood of misuse); damaged or destroyed?  

· Could the information be used with other information to

increase the detail someone might hold about the individual(s)?  

e.g. trivial snippets of information could be combined with other, publicly available information (such as name and address) to provide more detail about someone.  






2. Is the volume of information significant – in terms of number of records

A high number of records and a real risk of individuals suffering some harm.

e.g. 100 names, addresses, dates of birth, NI numbers.  

e.g. The loss of a backup tape containing 10,000 service user records.  






3. Is the volume of information significant – in terms of amount of information about an individual (or individuals)

A high volume of personal information and a real risk of individuals suffering some harm.


e.g. Three faxes containing the entire case history of a person, which includes details of family members.







4. Is the personal information sensitive?

There is a significant risk of individuals suffering substantial distress, financial loss or harm.  

Is the information sensitive personal data (as defined by the Data Protection Act) i.e.

  • Criminal record

  • Physical or mental health

  • Racial or ethnic origin

  • Religious beliefs

  • Trade Union Membership

  • Political opinions.

A breach involving a single record should be reported if the information is particularly sensitive – e.g. a detailed medical history.






Consideration should also be given to the impact on  

  • your organisation’s reputation, and on your stakeholders.  

  • the wider public – e.g. risks to public health or loss of public confidence in the service you provide.  




Step 4 - Letting people know



you answered yes to any of the questions in Step 3, you should report to the ICO.


there is a doubt about reporting, the presumption should be to report:  


Reporting is not mandated by law, but has the following benefits:

  • The ICO makes clear that self-reporting of incidents is one of the ‘behavioural issues’ they consider as a positive ‘mitigating feature’ the ICO will take into account when deciding the amount of any fine. It demonstrates that you are proactively engaging with them.  

  • It demonstrates to those affected that you are being open, and are looking to help address their concerns.  

  • It will, once known, enable you to demonstrate to your stakeholders, and the wider public, that you approached the incident in an open manner, and were looking to address the issues raised and improve performance.


What to report to the ICO  

The ICO asks that serious breaches be reported using the ICO’s Security Breach Notification Form.  



What to say to the individual(s) affected

The communication should have a clear purpose, e.g. enabling them to take steps to protect themselves, such as cancelling credit cards or changing passwords, or to be vigilant for suspicious activity.  

The communication should

i.     be tailored to meet the needs of the individual or group of individuals affected.

e.g. the elderly (may have lower awareness of IT or social media) children; a vulnerable group (it may be read and acted upon by a carer or guardian).

ii.     only be made to those affected.  

i.e. informing those not affected could increase concern unnecessarily.   

iii.     be made in the most appropriate method depending on  

e.g. letter, email, text, message posted on a website, telephone call.

What to say to the individual(s) affected


  1. the urgency of the situation, and  

  2. the needs of the individual or group of individuals affected.


iv.     include explicit, clear advice on what the individual can do to reduce the risks. Consider whether there are any further steps you can offer to help.

e.g. subscription to anti-fraud measures; compensation.



What to say to the media

Include details of

  • what controls were in operation at the time of the breach,  

  • any other measures that you consider are likely to reduce the impact of the breach,  

  • details of the notifications made above (to the ICO, the individuals affected, the any other regulators) and  

  • what actions you are currently taking.


Step 5 - Lessons learnt  

It is important to:


  1. Consider the actions you took to address the incident,  

  2. Understand and evaluate the causes behind the incident,

  3. Document the lessons you learnt.  

This step might drive an action plan or other remedial measures to improve compliance or performance in the future.  

Examples include:

  • Review the level of ICT security in place – e.g. firewalls, patches.

  • Increase the amount of knowledge you have about the nature and extent of personal information handled by your organisation – e.g. by undertaking or reviewing your existing, information audit.   

  • Review existing policies and procedures – to ensure they sufficiently address all relevant data protection concerns.