A personal data breach is a security incident that leads to personal data being lost, destroyed, altered, disclosed or accessed without authorisation. We have processes in place to identify, contain and assess any incident quickly.
How we respond
- Contain the incident and limit any further impact.
- Investigate what happened, what data was involved and who is affected.
- Assess the risk to the people whose data is involved.
- Record the incident, as the law requires, even where no notification is needed.
When we will tell the regulator and you
If a breach is likely to result in a risk to people's rights and freedoms, we will report it to the Information Commissioner's Office, normally within seventy-two hours of becoming aware. If the risk is high, we will also tell the affected individuals without undue delay, so you can take steps to protect yourself.
What you can do
If we notify you, follow the specific advice we give. As a general precaution, be alert to unexpected messages, do not share sign-in details, and contact us through the help centre if you are unsure whether a message is genuine.
Raising a concern
If you believe your data has been compromised, tell us so we can investigate. You can also report concerns to the Information Commissioner's Office.
See also: How do I request a copy of my data?, What happens to my data after I close my account? and Can I object to how you use my data?.