There is a duty for organisations to report certain breaches to the ICO.

“The accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”

Examples include:

• damage to reputation
• discrimination
• financial loss
• loss of confidentiality
• other economic/social disadvantages.

Personal data breaches likely to result in a risk to people’s rights must be reported to the ICO within 72 hours.

Since patients have a right to confidentiality, the obligation to report will apply to many of the breaches that occur in a pharmacy.

If there is a high risk that a breach is likely to affect the rights of individuals, the individuals affected must also be informed.