Information and Data Protection Office

Make a complaint or report
Information and Data Protection Office > Information > Data security and breaches

Data security and breaches

This page explains your security and breach response duties under the Freedom of Information and Data Protection Act 2026.

Security obligations

  • You must take appropriate technical and organisational measures to protect personal data
  • Your security measures must be proportionate to the level of risk
  • You must protect personal data against unauthorised access, loss, damage and misuse

What counts as a data breach

A data breach is any incident that results in the loss, unauthorised access, disclosure or destruction of personal data.

Notifying the IDPO

If a data breach could risk harm to individuals, you must notify the Information and Data Protection Office without undue delay.

Informing affected individuals

If a breach presents a high risk to individuals, you must inform those individuals without undue delay.

After a breach

You must follow any binding directions issued by the Information and Data Protection Office.

You must take steps to reduce the risk of further harm and prevent future breaches.