The Cabinet Office has published a Model Action Plan setting out a single cross-government framework that all departments and arms-length bodies must follow when responding to significant personal data breaches, introducing mandatory central reporting of such incidents for the first time.
The plan, published on 15 July 2026, requires every breach reported to the Information Commissioner's Office to be reported in parallel to the Government Security Group incident response team in the Cabinet Office and to the Government Data Protection team within the Office of the Government Chief Data Officer at the Department for Science, Innovation and Technology (DSIT). The central reporting requirement to DSIT was introduced in April 2026, and the data gathered will feed into a publicly available annual assurance statement on data protection across government.
The framework is organised into five phases:
- Phase 0, preparation before any breach occurs, covering organisational response plans, asset registers, escalation routes and pre-approved communication templates for common scenarios such as misdirected emails and lost devices
- Phase 1, within 24 hours of identifying a significant breach, covering internal escalation and containment through technical, physical and legal action
- Phase 2, as soon as possible and no later than 48 hours, covering assessment of the risk to data subjects and a determination of whether the breach meets the plan's definition of significant
- Phase 3, within 72 hours, covering ICO reporting, notification of affected individuals and escalation to the organisation's Accounting Officer and the central government teams
- Phase 4, post-incident review, lessons learned and maintenance of the breach register
A breach qualifies as significant under the plan where it potentially exposes a large number of data subjects to a risk of serious harm, or a smaller number of higher-profile individuals such as public sector staff in sensitive roles or people in witness protection; where it poses national security risks, including exposure to espionage or effects on critical national infrastructure; where it affects multiple organisations, including incidents originating with third-party suppliers and subcontractors; or where it is likely to cause significant financial harm, threat to life, critical system loss or significant media and parliamentary interest. The plan states that all breaches meeting this definition would be expected to cross the statutory threshold for reporting to the Information Commissioner.
The framework sits alongside, rather than replaces, the statutory regime. Controllers remain under the Article 33 UK GDPR obligation to notify the ICO of reportable breaches within 72 hours of becoming aware of them, and the Article 34 duty to inform affected individuals directly where a breach poses a high risk to their rights and freedoms.
Data protection officers retain their statutory role and the plan is framed as helping organisations meet obligations under the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025. It also confirms that the ICO can request to audit an organisation's breach register to verify compliance with Article 33(5).
There are a number of new requirements around departmental contract and supplier management. Organisations must ensure processors are contractually bound to assist with breach identification and response under Article 28, including service level agreements requiring third-party suppliers and contractors to notify the department within 12 to 24 hours of discovering a suspected personal data breach.
Where a breach is classed as significant, the organisation must activate its crisis incident response plan and appoint an incident manager at Senior Civil Service grade 1 or above. Departmental action plans must be tested against a hypothetical significant breach, in most organisations annually, to confirm the 72-hour reporting requirement can be met in practice.
On notifying individuals, the plan directs organisations to prepare an FAQ anticipating questions from affected people, to consider alternative formats for those who cannot access information digitally, and to record how harm to data subjects has been mitigated beyond notification, for example through helplines or identity monitoring tools.
For highly sensitive incidents involving vulnerable individuals, mitigations may extend to coordinating with police or social services on welfare check-ins. Press offices must be made aware that a breach may become public, but the plan is blunt on priorities, stating that exposing data subjects to undue risk in order to contain reputational damage is "not acceptable in the strongest possible terms".
Cyber security breaches will remain coordinated by the Government Cyber Coordination Centre, with cyber incidents affecting essential services or national security reported to the National Cyber Security Centre in place of the Cabinet Office route. Where a significant breach escalates into a wider crisis, the government's Amber Book crisis response framework applies. Lessons learned, mitigations and implementation updates must be reported quarterly to the Government Data Protection team, and the plan was informed by ICO expertise and is to be read alongside the government's Principles for securing personal data in government services.
The Model Action Plan for Responding to Significant Data Breaches is available at https://www.gov.uk/government/publications/model-action-plan-for-responding-to-significant-data-breaches

