Procedure for Notifying Breaches of Data Security

ART holds significant amounts of personal data about its members and those who sign up to its training schemes. We have a legal duty to protect this information and its loss or any breach of its security could have serious consequences for the operation of the Association and could lead to possible legal action against ART by the Information Commissioner’s Office (ICO).

What is a Data Security Breach?

A Data Security Breach is not just about the loss of personal data. The ICO defines it as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” Examples would be:

  • access by an unauthorised third party
  • deliberate or accidental action (or inaction) by a controller or processor
  • sending personal data to an incorrect recipient
  • computing devices containing personal data being lost or stolen
  • alteration of personal data without permission
  • loss of availability of personal data because of malicious activity

What must I do if I detect a breach?

Time is of the essence in dealing with any breach. Serious cases are required to be reported to the ICO with 72 hours of discovery. Therefore any staff member or volunteer who discovers or suspects a breach must report it to the IT Team ( and the Data Protection Adviser by email ( immediately.

What is the role of the Data Protection Adviser?

The Data Protection Adviser will assess the reported breach and decide whether it is serious enough to warrant a notification being made to the ICO. The Adviser will also decide whether the breach is likely to result in a high risk of harm to the rights and freedoms of the data subjects involved in the breach. If there is such a high risk, then the data subjects must be informed of the breach. The adviser will document any decisions taken and the reasons for them in case of subsequent inquiry by the ICO.

How can we avoid breaches?

ART lays down guidelines for the security of its data and all staff and volunteer members should take steps to abide by these. See Data Security Guidelines.

Procedure History

Last Modified: October 2019

Last Reviewed: October 2019


If you have any questions about this policy or data protection you are invited to contact the Association at: