FOI reference: FOI-2025-2827
You asked
I am requesting a list of all breaches in GDPR regulation of personal data, protection and usage; data losses; or other data security incidents that have been reported to your department.
For each personal data incident that occurred between 01/01/22 and the date this request is processed (06/05/2025) please provide:
- The date and time the personal data incident occurred.
- If applicable, the date and time the personal data incident was reported to the ICO.
- If applicable, a copy of the notification document created when the personal data breach was reported to the ICO.
- A copy of any documentation containing the outcome or remedies of the personal data breach, including those reported to ICO.
- Whether those directly concerned in the personal data breach were informed.
We said
Thank you for your request.
In line with data protection legislation and best practise, we maintain records of personal data incidents to meet our accountability obligations under the UK GDPR.
We can confirm that, since the introduction of GDPR in May 2018, we have had 0 incidents that were likely to pose a risk to the rights and freedoms of individuals. This means that we have not been required to notify the ICO nor impacted individuals.
In relation to the log we hold of minor data protection incidents, naturally much of the information contains personal data of individuals, which would be withheld under s.40(2) of FOIA.
The log also contains sensitive information about the structure of our sites and systems and our response strategies to incidents which, if released, would prejudice our ability to prevent or detect criminal activity directed towards us. Therefore s.31(1)(a) of FOIA applies.
We also find that s.36(2)(c) applies in this case, as the release of the information would, in the opinion of the qualified person, prejudice the effective conduct of public affairs