0370 270 6000

Steps to take following a data breach: reporting, criminal charges and injunctions

26 July 2021

Student and staff files will be full of personal data, much of which may be particularly sensitive such as health information (known under the data protection legislation1 as “special category” data). Here we outline what universities need to do when a data breach occurs.

Your obligations

As data controllers, universities have an obligation under the data protection legislation to ensure that this personal data is processed consistently with the data protection principles and only shared with third parties if there is a lawful basis for doing so. Furthermore, as much of this sensitive information would also have been provided to universities in confidence, it cannot be shared with third parties without the consent of the person, unless it is required by law or can be justified in the public interest (such as to prevent serious harm to the person or others).

Unfortunately, it is not uncommon for data breaches to occur either due to the malicious actions of a third party or human error. In relation to the latter, this usually occurs when redactions have not been properly applied or made at all, or where certain information is shared despite this not being strictly necessary for the particular task at hand. In such situations, it is important for data controllers to immediately consider taking the following steps.

Reporting obligations

First, you should consider whether the data breach poses a risk to people. If it’s likely there will be a risk, then you must notify the Information Commissioner within 72 hours of becoming aware of the breach, where feasible. Reporting the matter to the ICO also allows you to bring the matter to the attention of the ICO’s Criminal Investigations Team if an offence under the Data Protection Act 2018 may have been committed (for example, if the personal data has been obtained or retained without your consent). If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.

Informing the police

Once you have satisfied your reporting obligations, you should also consider notifying the police and/or pursuing civil action to prevent the confidential information from being used or shared more widely. It is of course a matter for the police to investigate whether any criminal offence has been committed, but if you can present sufficient evidence of an offence then, subject to it being in the public interest, the police should instigate criminal proceedings. The police could also use their search powers to obtain and retrieve the confidential information in question, which will often be a key aim for your institution.

Obtaining an urgent injunction in civil proceedings

Civil proceedings are also a good option to prevent the confidential information from being used or disclosed further. If you need to act quickly then you will need to seek an interim injunction before the substantive claim is filed. This will require you to satisfy the American Cyanamid test, namely that: (1) there is a serious issue to be tried (see below); and (2) damages are not an adequate remedy; and (3) the balance of convenience favours the grant of an injunction.

Establishing a breach of confidence

In relation to the substantive claim, the essential ingredients of the tort of breach of confidence, as set out in Coco v Clark [1968] FSR 415, are that (i) the information is confidential in quality; (ii) it was imparted so as to import an obligation of confidence; (iii) there has been, or will be, an unauthorised use of that information to the detriment of the party communicating it. This includes confidential information that has been obtained by improper or surreptitious means, but will also cover situations where it has been obtained by mistake – for example when confidential information is inadvertently disclosed in response to a request under the data protection legislation or Freedom of Information Act.

Where a public body (which, depending on the context, may include a university) claims confidentiality in a document, the damage required to establish a claim for breach of confidentiality will be assessed by reference to the public interest. For an illustration of how these principles have recently been applied by the courts, see: London Borough of Lambeth v AM (No. 2) [2021] EWHC 186 (QB).

Contact us

Browne Jacobson’s public law team frequently advises public bodies in respect of breaches of confidentiality. Its lawyers are experienced in liaising with the Information Commissioner and police in respect of possible criminal offences and commencing civil proceedings to restrain the unlawful use of confidential information. Please contact us with any questions about the immediate steps you can take to bolster your approach to data protection or if you would like any further information on what to do in the immediate aftermath of a data breach.

 Namely, the Data Protection Act 2018 and UK GDPR 

Training and events


LUPC & SUPC Conference 2022 etc.venues, 133 Houndsditch, Liverpool Street, London EC3A 7BX

Come and meet the team at Stand 5 in the exhibition hall at the 7th joint consortia event to discuss how we can support you & your institution.

View event


UHR Conference 2022 Online

Get on-board at this year’s UHR – the biggest and best UHR conference yet!

View event

Focus on...

Legal updates

be connected newsletter for higher education - May 2022

In this edition we provide you with the latest in legal updates, news and insight from the higher education sector.


Legal updates

Harassment and sexual misconduct in Higher Education

Cases involving the handling allegations of harassment and sexual misconduct by Universities continues to hit the news. They are clearly difficult issues for Universities given the competing duties owed to both the reporting individual and the alleged perpetrator and the inevitable sensitivities around the nature of these matters.


Legal updates

ICO consultation on research provisions guidance

The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.


Legal updates

be connected newsletter for higher education - February 2022

In this edition we provide you with the latest in legal updates, news and insight from the higher education sector.


The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up