London Borough of Croydon

The Data Protection Act 2018 and the GDPR introduces a duty upon the council to report certain types of personal data breach within 72 hours of the council being aware of the incident to the Information Commissioner’s Office.

A “personal data breach” is a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. This does not only apply to instances where personal data has been lost but is considered to be, any occasion when there has been a breach of information security:

  • where there is an unauthorised or accidental disclosure of or access to personal data
  • where there is an unauthorised or accidental alteration of personal data, and
  • where there is an accidental or unauthorised loss of access to or destruction of personal data

The council’s primary concern when dealing with a personal data breach will be to contain the breach, recover the personal data and ensure that no harm comes to residents following such an incident. The council has robust procedures in place to conduct thorough investigations when such an incident is reported.

All incidents of personal data breach are immediately be reported to the Chief Information Officer (CIO) and the Data Protection Officer (DPO) and also recorded in the Data Breach Register. If the incident is likely to result in a high risk to the individuals concerned (such as through identity theft) the council will notify those concerned.

Following being informed of a data breach incident, the DPO will make a decision whether or not to notify the Information Commissioner’s Office, in consultation with the CIO and Caldicott Guardian; after careful consideration of the incident and the likely risks to the individuals concerned.

Report a suspected personal data breach online or call 020 8604 7777


Help downloading files