State visit
The President of the French Republic, Emmanuel Macron, and Mrs Brigitte Macron will visit Windsor, under invite from the King, from Tuesday 8 July to Thursday 10 July 2025. Find out more.
FOI001846 FOI Information Governance
Short Description
Data Breaches and GDPR Compliance
Reference number
FOI001846
Date
30/06/2025
Request
Please provide the total number of personal data breaches reported internally since 1 January 2020. I would also like to know how many of these breaches were reported to the Information Commissioner’s Office (ICO), together with a breakdown of the nature of each breach, for example whether it involved data sent to the wrong recipient, unauthorised access, or lost or stolen information. In addition, please confirm the number of individuals affected in each case.
I would be grateful if you could set out what mandatory data protection and GDPR training is in place for staff who handle personal data. Specifically, please state what percentage of staff completed this training each year since 2020, how frequently refresher training is delivered, and whether training records are audited for compliance.
Please also confirm how many staff members have been subject to disciplinary action in relation to data breaches since 2020, and describe the nature of any disciplinary measures taken, for example whether they involved retraining, formal warnings, or dismissal. I would also like to know whether any of these incidents were found to have resulted from systemic failures within the organisation.
I am requesting information on how many complaints have been made to the ICO regarding RBWM’s handling of personal data since 2020, and whether RBWM has received any enforcement notices, reprimands, or fines from the ICO during that time. If so, please set out the details, including whether any corrective action plans or undertakings were agreed.
Please provide a copy of RBWM’s current policies and procedures for detecting, reporting, and investigating personal data breaches. I would like to understand what internal guidance is used to decide when a breach must be reported to the ICO and/or to affected data subjects, as required under Articles 33 and 34 of the UK GDPR. Please also confirm whether any internal audits or reviews of these processes have been carried out in the past three years.
I am also requesting details of the resources allocated to data protection. Please confirm what annual budget is dedicated to GDPR compliance and information governance, how many staff are employed in the Data Protection or Information Governance teams, and whether RBWM has formally appointed a Data Protection Officer in line with Article 37 of the UK GDPR.