Reporting a data breach procedure

What to do if personal data has been lost, stolen or shared inappropriately.

Last reviewed: 6 July 2022

This guidance is part of our Managing information procedure.

It’s everyone’s responsibility to keep personal data safe, secure and confidential. 

But sometimes mistakes happen. The most important thing is to act quickly when they do. 

Remember, you’re responsible for reporting data breaches to our Data Protection team at HQ immediately after you find out about a breach. If you’re supervising a member or volunteer under 18, it’s also your responsibility to make sure they know to report breaches to you. 

What’s a data breach? 

A data breach is an incident that results in loss, theft, deletion, unauthorised sharing or unauthorised access to personal data.  

Some examples include:  

  • Emailing personal data to the wrong person. 
  • Leaving unit health forms on the bus. 
  • Leaving documents in the boot of a car which is then stolen. 
  • Posting personal data on social media without permission. 
  • Losing a unit contact list printed from GO. 
  • Letting someone else use your GO account or password. 
  • Losing a memory stick with an emergency contact list on it. 
  • Being overheard talking about personal data. 

What do I do if I discover a data breach? 

Report 

You must report all data breaches to our Data Protection team at HQ. You should make your report immediately if possible, and always within 24 hours of finding out about the breach.  

You still need to report the breach even if you’re able to get the information back. By law, Girlguiding must keep a record of all actual and potential breaches. 

You can report a data breach by: 

or 

  • if you can’t find the form or you’re having trouble filling it in, email us at [email protected] or call us on +44 (0)20 7834 6242 ext. 3060. 

If you’re not sure if a data breach has taken place, report it anyway. It’s better to over-report than under-report! 

Reduce the impact 

Try to reduce the impact of the breach as soon as possible.  

For example: 

  • If you’ve sent an email to the wrong person, send a second email asking for it to be deleted. 
  • If someone else finds out your GO password, reset it or contact membership systems to have your account suspended. 
  • If you’ve left documents with personal data somewhere, like on the bus or in a café, go back and check if someone has handed them in. 
  • If personal data has been posted online then delete it if you can. 

Follow up 

After you’ve sent us the data breach notification form, we’ll work with you on any further action that’s needed.  

This could include: 

  • Contacting the people whose personal data has been affected by the incident. 
  • Making changes to the way you or the person who caused the breach handles personal data in the future. 
  • Doing more training on data protection. 

Any follow-up actions the Data Protection team gives you are compulsory. If you don’t do them, we may suspend or withdraw your membership. 

We’re here to help 

We want you to feel confident about handling a data breach. If you have any questions or concerns, please email us at [email protected] or call the team on +44 (0)20 7834 6242 ext. 3060.