URL: /partner/breaches/
The Breach Reports module allows you to record, track, and manage data security incidents. This is a DSPT requirement and critical for CQC Well-led evidence.
Any incident involving personal data should be recorded, including:
- Data loss — lost devices, misplaced paper records
- Unauthorised access — staff accessing records without legitimate need
- Data disclosed in error — misaddressed emails, incorrect recipient
- Cyber incidents — phishing, malware, ransomware
- Theft — stolen devices or physical records
- Technical failures — misconfiguration exposing data
| Level |
Description |
ICO Notification |
| Low |
Minimal risk to individuals (e.g. misaddressed email with low-sensitivity data) |
Not usually required |
| Medium |
Some risk of harm or distress |
Assess on case-by-case basis |
| High |
Significant risk to individuals' rights and freedoms |
Notify ICO within 72 hours |
| Critical |
Severe and immediate risk to large numbers of data subjects |
Notify ICO immediately |
- Navigate to Breach Reports
- Click Report a Breach
- Complete the form:
- Title — clear description of the incident
- Description — what happened, how it was discovered
- Detected At — when the breach was identified
- Risk Level — initial assessment
- Affected Data — what type of data was involved
- Affected Users Count — approximate number of data subjects
- Actions Taken — immediate containment and remedial steps
- Click Save
If the breach poses a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours. The system tracks:
- Whether the ICO has been notified
- When notification was made
- The 72-hour deadline auto-calculated from detection time
- Document everything — contemporaneous notes are important evidence
- Contain and remediate before investigating root cause
- Review each breach to identify systemic issues
- Report to CQC if the breach relates to a patient safety incident
- Use breach trends to update risk register entries and mitigation plans