Charities reported 112 data breaches to the ICO in final quarter of 2019-20

26 May 2020 News

Charities reported 112 data breaches in the fourth quarter of 2019-20, according to the Information Commissioner’s Office (ICO) latest report on data breach trends.

The figure includes 34 cybersecurity breaches such as phishing and ransomware attacks. 

Across all sectors there were 2,629 breaches reported in the fourth quarter, which covers January to March 2020. The most reported breaches were in the health sector. 

More than 400 reported breaches

In 2019-20 as a whole, charities reported 447 incidents. The sector accounted for less than 4% of the overall reported data breaches in the past year.

In quarter one they reported 125 data security incidents to the ICO, while in quarter two they reported 108 and in quarter three they reported 102.

The figures in the data incident trend reports are based on the number of reports of personal data breaches received by the ICO, not necessarily the number of incidents. 

Organisations are required to notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms. If an organisation decides that a breach does not need to be reported, they should keep their own record of it and be able to explain why it was not reported.

 An ICO spokesperson said: “Good information handling makes good business sense. It enhances a business's reputation, increases customer and employee confidence, and by making sure personal information is accurate, relevant and safe, saves both time and money.

“Under data protection law organisations have the obligation to keep personal data secure, whether in electronic or paper format, and to report serious security breaches to the ICO within 72 hours.

“Organisations should regularly review, and if necessary improve, their security measures and data governance practices to ensure that are taking the appropriate measures to safeguard the personal data they hold.”

The ICO says that charities should continually train all staff on their data protection responsibilities and make sure staff know what to do if you have a breach.

Further detail on breach reporting can be found on the ICO's website. In addition, the website has a self-assessment tool which aims to help an organisation determine whether it needs to make a report.

For more news, interviews, opinion and analysis about charities and the voluntary sector, sign up to receive the Civil Society News daily bulletin here.


More on