Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, pursuant to the Answer of 9 May 2023 to Question 183317 on Capita: Cybercrime, what his Department's (a) policies on and (b) processes for informing (i) public sector employees and (ii) other individuals affected by a breach of Government data are.

The Cabinet Office takes personal data breaches very seriously. As part of standard procedure, the Cabinet Office advises that all Cabinet Office employees must immediately report breaches to the Security Team and Data Protection Officer. Any breach that meets the legal tests set out in UK GDPR will be reported to the Information Commissioner or data subjects within the statutory deadlines.

It is our policy that data subjects will usually be notified of any incident pertaining to their personal data. Agreements with delivery partner(s) and 3rd party suppliers must stipulate the arrangements and obligations for ensuring that there is an established, effective and timely process to identify and report any actual or suspected losses of data/information by the ‘provider’.