ICO Breach Reporting Duties - Glasgow bylaw guide

Technology and Data Scotland 4 Minutes Read · published February 11, 2026 Flag of Scotland

Organisations and public bodies operating in Glasgow, Scotland must follow ICO reporting duties under the UK GDPR and the Data Protection Act when personal data breaches occur. This article explains when to notify the ICO and affected individuals, internal council reporting expectations, and how Glasgow organisations should act to limit harm and comply with enforcement procedures. It draws on official Glasgow City Council guidance and ICO rules so that local authorities, businesses and third-party processors can identify deadlines, required information and practical next steps for breach handling.[1]

Report internally first and preserve evidence for any ICO notification.

When to report a personal data breach

A personal data breach must be reported to the ICO without undue delay and, where feasible, within 72 hours of becoming aware if it is likely to result in a risk to people’s rights and freedoms. You must also inform affected individuals when the breach poses a high risk to their rights and freedoms. The ICO provides a dedicated reporting route and guidance for organisations.[2]

Penalties & Enforcement

The ICO enforces the UK GDPR and can issue monetary penalties and other regulatory measures. Key enforcement points for Glasgow organisations are below.

  • Monetary penalties: up to A317.5 million or up to 4% of annual global turnover, whichever is higher, for the most serious infringements (as set out by the ICO).[2]
  • Escalation and repeat offences: ranges and specific uplift for repeated or systemic breaches are determined case by case by the ICO; specific multipliers or bands are not specified on the cited page.[2]
  • Non-monetary sanctions: enforcement notices, orders to bring processing into compliance, requirements to communicate with data subjects, audits, and court action may be used by the ICO.[2]
  • Enforcer and local contact: the Information Commissioners Office is the statutory regulator; Glasgow City Councils Data Protection Officer handles internal reporting and local compliance procedures for council services.[1]
  • Appeals and review: decisions and notices from the ICO can be challenged through the statutory appeal routes (for example, to the Tribunal); precise time limits for appeal are set out in the applicable enforcement notice or decision document and are not specified on the cited overview pages.[2]
Enforcement can include orders as well as fines.

Applications & Forms

  • ICO online breach report form: use the ICOs official online reporting route to notify a personal data breach; there is no fee to report. Details and form are on the ICO site.[2]
  • Glasgow City Council internal reporting: council services should follow the councils internal data protection breach reporting procedure available from the councils data protection pages; if no public form is published, internal staff should contact the Data Protection Officer as instructed on the council page.[1]

Practical steps after a breach

  • Contain the breach and secure systems to limit further loss of data.
  • Document what happened, what data was affected, and the likely consequences.
  • Assess the risk to individuals and decide whether ICO notification is required within 72 hours.
  • If required, notify the ICO using the official online route and notify affected individuals when the breach poses high risk.
  • Report breaches involving council-held data to Glasgow City Councils Data Protection Officer and follow internal escalation steps.[1]
Keep records of breach decisions even when you decide not to report to the ICO.

Common violations

  • Poor access controls leading to unauthorised access to personal data.
  • Accidental data disclosure by email or misdirected documents.
  • Failure to encrypt or pseudonymise high-risk datasets.

FAQ

When must Glasgow organisations notify the ICO of a breach?
Notify the ICO without undue delay and where feasible within 72 hours if the breach is likely to result in a risk to individuals rights and freedoms. See ICO guidance for details.[2]
Do I always need to tell affected people?
Only if the breach is likely to result in a high risk to individuals rights and freedoms; otherwise document the assessment and rationale for not notifying individuals.[2]
Who within Glasgow City Council handles breach reports?
The councils Data Protection Officer and the relevant service manager handle internal reports; staff should follow the councils published reporting procedure on the data protection pages.[1]

How-To

  1. Contain the incident and secure any affected systems.
  2. Record the breach details, categories of data affected and likely impact.
  3. Assess risk to individuals and decide on ICO notification within 72 hours where necessary.
  4. Use the ICOs online reporting route to notify the regulator if required, and inform affected individuals when there is a high risk.
  5. Follow Glasgow City Council internal reporting and remedial steps if council data or resources are involved.[1]

Key Takeaways

  • Notify the ICO without undue delay and, where feasible, within 72 hours for significant breaches.
  • Document all breach assessments and keep records even if you do not notify the ICO.
  • Contact Glasgow City Councils Data Protection Officer for internal guidance on council-held data.[1]

Help and Support / Resources

  1. [1] Glasgow City Council - Data protection and Freedom of Information
  2. [2] ICO - Report a personal data breach
  3. [3] ICO - Guide to data protection and enforcement

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data