Info Gov

The Cabinet Office has published a Model Action Plan setting out a single cross-government framework that all departments and arms-length bodies must follow when responding to significant personal data breaches, introducing mandatory central reporting of such incidents for the first time.

The plan, published on 15 July 2026, requires every breach reported to the Information Commissioner's Office to be reported in parallel to the Government Security Group incident response team in the Cabinet Office and to the Government Data Protection team within the Office of the Government Chief Data Officer at the Department for Science, Innovation and Technology (DSIT). The central reporting requirement to DSIT was introduced in April 2026, and the data gathered will feed into a publicly available annual assurance statement on data protection across government.

The framework is organised into five phases:

- Phase 0, preparation before any breach occurs, covering organisational response plans, asset registers, escalation routes and pre-approved communication templates for common scenarios such as misdirected emails and lost devices
- Phase 1, within 24 hours of identifying a significant breach, covering internal escalation and containment through technical, physical and legal action
- Phase 2, as soon as possible and no later than 48 hours, covering assessment of the risk to data subjects and a determination of whether the breach meets the plan's definition of significant
- Phase 3, within 72 hours, covering ICO reporting, notification of affected individuals and escalation to the organisation's Accounting Officer and the central government teams
- Phase 4, post-incident review, lessons learned and maintenance of the breach register

A breach qualifies as significant under the plan where it potentially exposes a large number of data subjects to a risk of serious harm, or a smaller number of higher-profile individuals such as public sector staff in sensitive roles or people in witness protection; where it poses national security risks, including exposure to espionage or effects on critical national infrastructure; where it affects multiple organisations, including incidents originating with third-party suppliers and subcontractors; or where it is likely to cause significant financial harm, threat to life, critical system loss or significant media and parliamentary interest. The plan states that all breaches meeting this definition would be expected to cross the statutory threshold for reporting to the Information Commissioner.

The framework sits alongside, rather than replaces, the statutory regime. Controllers remain under the Article 33 UK GDPR obligation to notify the ICO of reportable breaches within 72 hours of becoming aware of them, and the Article 34 duty to inform affected individuals directly where a breach poses a high risk to their rights and freedoms.

Data protection officers retain their statutory role and the plan is framed as helping organisations meet obligations under the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025. It also confirms that the ICO can request to audit an organisation's breach register to verify compliance with Article 33(5).

There are a number of new requirements around departmental contract and supplier management. Organisations must ensure processors are contractually bound to assist with breach identification and response under Article 28, including service level agreements requiring third-party suppliers and contractors to notify the department within 12 to 24 hours of discovering a suspected personal data breach.

Where a breach is classed as significant, the organisation must activate its crisis incident response plan and appoint an incident manager at Senior Civil Service grade 1 or above. Departmental action plans must be tested against a hypothetical significant breach, in most organisations annually, to confirm the 72-hour reporting requirement can be met in practice.

On notifying individuals, the plan directs organisations to prepare an FAQ anticipating questions from affected people, to consider alternative formats for those who cannot access information digitally, and to record how harm to data subjects has been mitigated beyond notification, for example through helplines or identity monitoring tools.

For highly sensitive incidents involving vulnerable individuals, mitigations may extend to coordinating with police or social services on welfare check-ins. Press offices must be made aware that a breach may become public, but the plan is blunt on priorities, stating that exposing data subjects to undue risk in order to contain reputational damage is "not acceptable in the strongest possible terms".

Cyber security breaches will remain coordinated by the Government Cyber Coordination Centre, with cyber incidents affecting essential services or national security reported to the National Cyber Security Centre in place of the Cabinet Office route. Where a significant breach escalates into a wider crisis, the government's Amber Book crisis response framework applies. Lessons learned, mitigations and implementation updates must be reported quarterly to the Government Data Protection team, and the plan was informed by ICO expertise and is to be read alongside the government's Principles for securing personal data in government services.

The Model Action Plan for Responding to Significant Data Breaches is available at https://www.gov.uk/government/publications/model-action-plan-for-responding-to-significant-data-breaches

Also in this section

Jul 16, 2026

Scattered Spider pair jailed over TfL hack

Two members of the Scattered Spider hacking collective have each been jailed for five and a half years at Woolwich Crown Court on 16 July over a 2024 cyber attack on Transport for London that compromised the personal data of millions of customers and cost the transport authority £39 million.
Jun 29, 2026

"Five eyes" warn on accelerating cyber security threat from AI

The National Cyber Security has called on organisational leaders to treat cyber resilience as a core business and governance responsibility rather than a technical matter in the light of a report by the Five Eyes intelligence alliance on the "fundamental" impact of AI on the speed and scale of cyber threats.
Jun 15, 2026

Government AI hackathons uncover 407 vulnerabilities across nine departments, including critical remote code execution flaw

A pilot programme using frontier AI models to scan public-sector code repositories has identified 407 security findings across nine government organisations, including a critical vulnerability that could have allowed an external attacker to execute arbitrary code on a key digital service, the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC)…

InfoGov Masthead Newsletter 800