Search

How can we help?

Icon

Recent data breaches and their impact on organisations

Organisations of all sizes are susceptible to data breaches and the damage caused by these breaches, both reputationally and financially, can be very significant. It is therefore vital that organisations have effective systems in place to protect the information that they hold and have procedures for preventing and dealing with any breaches.

A data breach occurs when the information held by an organisation is stolen or accessed without authorisation. Under the UK GDPR, organisations have a duty to report certain personal data breaches to the relevant authorities within 72 hours of becoming aware of the breach (if this meets the threshold to report). Organisations also have a duty to keep a record of all personal data breaches in any case, but relevant individuals must be informed if the breach has a high risk of adversely affecting them.

The following recent cases highlight the detrimental impact that data breaches can have on both organisations and individuals:

Police Service of Northern Ireland (PSNI)

In August 2023, PSNI received two freedom of information requests from an individual requesting information about the number of officers in each rank and their status, i.e. substantive, temporary or acting. PSNI provided this information in a excel spreadsheet which, unnoticed but quality assurance, had a mistakenly included a worksheet tab with the surnames, initials, ranks and roles of all 9,4831 PSNI officers and staff. PSNI was alerted of the breach internally at 4:10pm the same day and the file was deleted from the website at 5:27pm. PSNI made an announcement 6 days later. The ICO conducted an investigation and found that the internal procedures and sign off protocols had been inadequate. In October 2024, PSNI was fined £750,000 by the ICO for exposing personal information of its entire workforce. The fine would have been £5.6million, however the Commissioner used his discretion in this case as he was mindful of PSNI’s financial position and did not want to divert public money from where it was needed.

The fine would have been £5.6million, however the Commissioner used his discretion in this case as he was mindful of PSNI’s financial position and did not want to divert public money from where it was needed.

The Central Young Men’s Christian Association (the Central YMCA)

The Central YMCA had incorrectly sent an email to 264 individuals participating in a HIV support programme using CC instead of BCC. As a result, the email addresses of the recipients were revealed and 166 individuals could be identified or potentially identified to be living with HIV. The ICO fined the Central YMCA £7,500 for the data breach of sensitive information which denied basic dignity and privacy for individuals living with HIV. Here, the Commissioner also used his discretion under the ICO’s public sector approach and reduced the fine which was initially recommended to be £300,000.

South Tees Hospitals NHS Foundation Trust (the Trust)

In November 2022, an employee of the Trust sent a standard letter to the father of a child patient informing him of an upcoming appointment. The appointment letter, however, was sent to the wrong address and was sent to the family of the child’s mother. This incident caused significant distress and upset to the patient and the family. The ICO launched an investigation and found no evidence of the Trust having a formal documented process or procedure in place. The ICO issued a reprimand to the Trust and advised that a formal written procedure be put in place to mitigate risks and ensure correct contact details were used.

The above cases demonstrate the need for organisations to have breach detection, investigation and reporting procedures in place and to notify relevant authorities or individuals with undue delay, where this is required. They also demonstrate that financial and reputational damage can be limited if an organisation has robust policies and procedures in place. If you have any questions about data breaches or would like assistance with implementing data protection policies and procedures within your organisation, please contact a member of our Data Protection Team. Our team is more than happy to assist and can provide a short assessment tailored to your organisation’s needs.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile

Jesse Akiwumi

Solicitor

View profile

+44 118 960 4662

About this article

employmentboddy logo
clipboard logo HR Resources

Data Protection – An Overview

This factsheet provides and brief overview of data protection legislation.

Read, listen and watch our latest insights

art
  • 10 October 2025
  • Employment

Prioritise mental health in the workplace – FAQs

Today is World Mental Health Day, Here are our top ten FAQ’s on reasonable adjustments for mental health at work.

Pub
  • 07 October 2025
  • Employment

Talking Employment Law: The Employment Rights Bill – Part 4

In part 4 of the Employment Rights Bill podcast in the ‘Talking Employment Law’ series, Amanda Glover and Shauna Jones, will discuss the key changes the Employment Rights Bill will bring to industrial relations and trade union rights.

art
  • 06 October 2025
  • Employment

TUPE: What It Is, When It Applies, and What HR Needs to Do About It

If you have ever been through a business sale, outsourcing, or insourcing exercise, chances are someone muttered the word “TUPE”, and maybe everyone suddenly looked nervous!

Pub
  • 02 October 2025
  • Employment

Reading Seminar: Royal Assent Imminent – the Employment Rights Bill! Legal changes and what they mean for HR and their organisations

We are pleased to invite you to an in-person seminar at our Reading office on Tuesday 18th November. Join Monica Atwal, Katie Glendinning, and Amanda Glover as they discuss the legal implications of the new Employment Rights Bill and its impact on your organisation.

Pub
  • 02 October 2025
  • Employment

London Seminar: Royal Assent Imminent – the Employment Rights Bill! Legal changes and what they mean for HR and their organisations

We are pleased to invite you to an in-person seminar at our London office on Tuesday 25th November. Join Monica Atwal, Katie Glendinning, and Amanda Glover as they discuss the legal implications of the new Employment Rights Bill and its impact on your organisation.

Pub
  • 30 September 2025
  • Employment

TUPE Podcast Series – TUPE and Commercial Contracts

In this tenth and final episode of Clarkslegal’s TUPE Podcast series, Katie Glendinning will delve into the intricacies of commercial contracts within the context of service provision changes.