Notification of data breaches to supervisory authorities

Data breaches are to be notified to ICO either by phone via special helpline, or online by filling in the data-breach-reporting form available at: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/. 

Exceptions to communication of data breaches to data subjects

Schedule 11 of the UK’s Data Protection Act enlists the exemptions from the breach notification to the data subjects. Consequently, a data breach does not have to be notified where the processing was carried out for the following purposes:

  • Crime (prevention and detection of crime; apprehension and prosecution of offenders)
  • Information required to be disclosed by law or in connection with legal proceedings
  • Parliamentary privilege
  • Judicial proceedings
  • Crown honors and dignities
  • Armed forces
  • UK’s economic well-being
  • Legal professional privilege
  • Negotiations with the data subject
  • Confidential references given by the controller
  • Exam scripts and marks
  • Research and statistics
  • Archiving in the public interest

No obligation of breach notification exists also if the breach constitutes a relevant error under sec. 231 of the Investigatory Powers Act 2016.

Furthermore, the obligation to inform the data subject of a data-protection breach does not apply, if the data is processed for the following purposes (Schedule 2):

  • Crime and taxation
  • Crime prevention or detection
  • Apprehension or prosecution of offenders, or
  • Assessment or collection of a tax or duty to the extent that the application of these provisions would be likely to prejudice the criminal matters mentioned above
  • discharging statutory functions
  • avoiding an infringement of the privileges of either House of Parliament

Restrictions to the obligation of breach communication to data subjects

The controller may restrict the obligation to inform of the data-protection breach, if it constitutes a necessary and proportional measure to (Clause 68(7) DPA):

  • avoid obstructing an official or legal inquiry, investigation or procedure
  • avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties
  • protect national or public security
  • protect the rights and freedoms of others