SponsoredBuild your website with Vincony

ข้อจำกัดความรับผิดชอบ: นี่ไม่ใช่คำแนะนำทางกฎหมาย กฎหมายและคดีมีการเปลี่ยนแปลง โปรดปรึกษาทนายความที่มีคุณสมบัติสำหรับสถานการณ์เฉพาะของคุณ

UK Law Reference
คู่มือทั้งหมด
Data Protection
5 ขั้นตอน
อัปเดต 2026-04-09
UK-wide

Reporting a Personal Data Breach to the ICO

How to report a personal data breach or data protection complaint to the Information Commissioner's Office.

ภาพรวม

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 protect your personal information. If an organisation has lost your data, shared it without your consent, processed it unlawfully, or refused to comply with your data rights (such as a Subject Access Request), you can complain to the Information Commissioner's Office (ICO). The ICO is the UK's data protection regulator — it has power to investigate, issue enforcement notices, and levy fines of up to £17.5 million. You can also seek compensation in court under Article 82 UK GDPR.

ใครสามารถใช้กระบวนการนี้ได้

  • You are likely eligible to use this guide if your situation involves reporting a personal data breach to the ico.
  • You have a genuine legal basis for the matter (contract, tort, statutory right, etc.).
  • You have made reasonable attempts to resolve the matter directly with the other party first.

กระบวนการทีละขั้นตอน

1

Complain to the Organisation First

Before approaching the ICO, complain directly to the organisation that has mishandled your data. All organisations subject to the UK GDPR must have a process for handling data protection complaints and must have a Data Protection Officer (if they process data at scale). Write a clear letter explaining: what personal data is involved, how it was mishandled, which data protection principle was breached, and what you want the organisation to do. Give them a reasonable period to respond (28 days).

กรอบเวลา: Allow 28–30 days for the organisation to respond
เคล็ดลับเชิงปฏิบัติ
  • For NHS bodies, request the Data Protection Officer's contact details from the organisation's website
  • For large companies, the DPO contact is often in the organisation's Privacy Policy
  • Keep all correspondence and note the date you submitted the complaint
  • If the issue is a failure to respond to a Subject Access Request, the organisation must respond within 30 days of the request
2

Gather Your Evidence

Before submitting your ICO complaint, gather: copies of the data mishandled, your original request or complaint to the organisation, the organisation's response (or evidence of non-response), any evidence of harm (financial loss, distress, damaged reputation), and any relevant context (screenshots, emails, letters). The stronger your evidence, the more likely the ICO is to investigate.

เคล็ดลับเชิงปฏิบัติ
  • Keep originals safe — send copies to the ICO
  • If sensitive personal data (health, financial, biometric) was involved, make this clear — breaches of these categories attract more regulatory attention
  • Quantify any financial loss or distress where possible
  • For SAR failures, calculate the exact number of days the organisation was in breach of the 30-day obligation
3

Submit Your Complaint to the ICO

Submit your complaint using the ICO's online complaint form at ico.org.uk. The form asks: who you are complaining about, what happened, what you asked the organisation to do, and what their response was. Attach your supporting documents. The ICO will assess whether your complaint falls within its jurisdiction and whether it is a priority matter for investigation. Not all complaints result in a formal investigation — the ICO focuses on systemic issues and serious breaches.

กรอบเวลา: Submit within 3 months of the organisation's final response
เคล็ดลับเชิงปฏิบัติ
  • The ICO complaint form is at ico.org.uk/make-a-complaint
  • You have 3 months from the organisation's final response to submit your ICO complaint (or 3 months from when the issue occurred, if no response was received)
  • Be concise and focused — ICO caseworkers review many complaints; a clear, well-organised complaint gets more attention
  • The ICO cannot award you compensation — for that, you need a court claim under Article 82 UK GDPR
4

Work with the ICO Investigation

If the ICO accepts your complaint for investigation, a caseworker will contact both you and the organisation. They may ask for further information. Respond promptly and provide everything asked. The ICO may decide to take informal action (directing the organisation to comply with the law), issue a formal enforcement notice, or — in serious cases — levy a fine. You will be notified of the outcome.

กรอบเวลา: ICO investigations can take 3–18 months
เคล็ดลับเชิงปฏิบัติ
  • The ICO's outcome may be a 'reprimand' or an 'enforcement notice' rather than a fine — but these are still significant regulatory actions
  • If the ICO closes the case without the outcome you wanted, you can request an internal review of the decision
  • ICO decisions can be challenged by judicial review — but this is rarely warranted for individual complaints
  • The ICO's investigation may produce findings or evidence useful for a subsequent civil claim for damages
5

Consider a Civil Claim for Compensation

The ICO cannot award you compensation. If you have suffered material damage (financial loss) or non-material damage (distress, anxiety) as a result of the data breach, you can bring a claim in the County Court under Article 82 UK GDPR and s.168 Data Protection Act 2018. For distress-only claims, Vidal-Hall v Google [2015] established that non-material damage is sufficient. The 6-year limitation period applies to civil data protection claims.

กรอบเวลา: Civil claim: 6-year limitation period from the date of the breach
เคล็ดลับเชิงปฏิบัติ
  • A successful ICO investigation significantly assists a civil claim — use the ICO's findings as evidence
  • Small claims track is available for data protection claims under £10,000
  • Specialist data protection solicitors can advise on CFA (no win no fee) funding for significant claims
  • For serious breaches involving sensitive data, claims of £1,000–£5,000 for distress are not unusual

ค่าใช้จ่าย

ICO complaintFree
Civil claim for compensation (if needed)Court fees from £35; CFA may be available

คำเตือนสำคัญ

The ICO cannot award you compensation — it is a regulator, not a compensation body. Only a court can award damages.

Not all ICO complaints result in investigation — the ICO prioritises systemic issues and serious breaches. A single complaint about a minor issue may be noted but not actively investigated.

The limitation period for civil claims under Article 82 UK GDPR is 6 years — do not allow the ICO complaint process to run past this deadline without protecting your legal position.

ลิงก์ที่เป็นประโยชน์