Skip to main content

Personal data breaches and related incidents

This guidance is designed to help health and care organisations deal with personal data breaches and incidents, for example, losing personal information. It provides advice on what a personal data breach and related incidents are and the steps that need to be taken if a personal data breach or incident occurs.

Page contents

Health and care organisations are committed to handling information safely and securely.

In this guidance:

  • an incident is where there is a problem with a network and information system, for example, a computer system which impacts upon health and care services
  • a personal data breach is when identifiable information is impacted for example it is lost

Some incidents may result in a personal data breach, for example, a cyber incident where IT systems go down and data is stolen by criminals. Other incidents may not result in a personal data breach, for example, where an IT system used for tracking which medical equipment needs servicing goes down.

Guidance for patients and service users

Health and care organisations hold data about you and are required by law to keep this information secure. This includes electronic and paper records.

However, accidents may occasionally happen, and your records could be impacted such as:

  • being shared inappropriately, for example with another patient with the same name
  • being mistakenly destroyed, for example being mixed up with a set of records that are due for destruction
  • becoming unavailable, for example due to an IT system going down
  • being changed so they become inaccurate, for example due to a glitch when a new IT system is installed

If this happens, steps will be taken to ensure that:

  • it doesn’t happen again
  • the risks to you and your care are minimised
  • everyone learns from the mistake

If there is a breach to the security of your information and there is a high risk to your rights and freedoms, you should be informed by your health and care organisation. If there is a potential risk to you, your health and care organisation will also inform the Information Commissioner’s Office (ICO), for example, if your personal information was lost in a public place. Your health and care organisation may contact you directly, for example, by sending you an email or letter. Alternatively, they may put information on their website.

If you discover a potential personal data breach, you can contact the organisation who you think has caused the personal data breach and make a complaint through its complaints process.

If you are dissatisfied with the outcome of your complaint, you can contact the Information Commissioner’s Office. The Information Commissioner's Office has provided advice and some wording to use if you are worried about how an organisation has handled your information.

Guidance for health and care professionals

Guidance for IG professionals

These IG pages provide clear and consistent IG advice and guidance to patients and service users, health and care staff and IG professionals. NHS England convenes a working group to check and challenge the guidance.

Updates since original publication

Read the updates since original publication

Introduction

Definitions of personal data breach and incident added.

Health and care professionals section

Updated examples.

IG professionals section

Added information on requirements in Network and Information Systems (NIS) Regulations.

NIS incident definition added, and NIS guidance linked.

11 February 2026

Corrections to typos and broken links.

Last edited: 11 May 2026 1:25 pm