Reporting a data breach procedure
How to report a data breach
Page last updated 1 October 2025.
See change log for recent updates to this webpage.
Find out what's changed and why in the most recent updates to this procedure.
This page is part of our managing information procedure.
This procedure explains how to follow the managing information policy by reporting and responding to data breaches.
This procedure is for volunteers. Girlguiding employees must use the staff procedure on the intranet.
What’s a data breach?
A data breach is an incident that results in loss, theft, deletion, unauthorised sharing or unauthorised access to personal data.
Some examples include:
- Emailing personal data to the wrong person.
- Leaving unit health forms on the bus.
- Leaving documents in the boot of a car which is then stolen.
- Posting personal data on social media without permission.
- Losing a unit contact list.
- Letting someone else use your GO account or password.
- Losing a memory stick with an emergency contact list on it.
- Being overheard talking about personal data.
Reporting a data breach
You must report all data breaches to the HQ data protection team. You must make your report as soon as possible, and always within 24 hours of finding out about a breach. If you’re supervising anyone under 18, it’s also your responsibility to make sure they know to report breaches to you.
You must still report the breach even if you’re able to get the information back. By law, Girlguiding must keep a record of all confirmed and potential breaches.
You can report a data breach in a few different ways:
- Filling in a data breach notification form (Word, 230 KB) and emailing it to [email protected].
- Emailing us at [email protected] with the information listed below.
- Calling us on +44 (0)20 7834 6242 ext. 3060.
If you’re not sure if a data breach has taken place, report it anyway. It’s better to over-report than under-report.
You don’t need to complete the data breach notification form to let us know about a breach. But it’s really useful if you let us know as much of the following information as possible:
- When did the breach happen?
- When was the breach discovered? This might be the same as above.
- A description of the breach – how did it happen? Were any Girlguiding systems affected? Is there any police involvement?
- What kind of personal data was involved in the breach? For example, names, contact information, or health information.
- How many people are affected?
- Did the breach include young members’ data?
- Have the people affected been informed?
- What steps have been taken to reduce the impact or risk of the breach?
Reduce the impact
Try to reduce the impact of the breach as soon as possible.
For example:
- If you’ve sent an email to the wrong person, send a second email asking for it to be deleted.
- If someone else finds out your password for a Girlguiding online platform, reset it or contact membership systems to have your account suspended.
- If you’ve left documents with personal data somewhere, like on the bus or in a café, go back and check if someone has handed them in.
- If personal data has been posted online then delete it if you can.
What happens next?
After you’ve told us about the data breach, we’ll work with you on any further action that’s needed.
This could include:
- Contacting the people whose personal data has been affected by the incident.
- Making changes to the way you or the person who caused the breach handles personal data in the future.
- Doing more training on data protection.
You must complete any follow-up actions given to you by the HQ data protection team. Refusal or failure to do so will be looked at under the managing concerns about adult volunteers policy and procedure.
