Data protection guidance for Electoral Registration Officers and Returning Officers

Requirement to notify when a personal data breach has occurred

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms:

  • if there is a risk, you must notify the ICO within 72 hours of becoming aware of the breach
  • if there is a high risk –  in addition to notifying the ICO, you must inform the individuals concerned directly without undue delay

ICO guidance defines a high risk in terms of the severity of the potential or actual impact on individuals: “If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, you will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.”

Where the risk is unlikely to impact on people’s rights and freedoms, you don’t have to report it to the ICO. If the risk is not high, you do not have to notify the individuals concerned. In both cases, you need to be able to justify your decision, so you should document your reasoning in line with the accountability principle.

The ICO also has the power to compel you to inform affected individuals if they consider that there is a high risk.

Last updated: 22 February 2023