The Government has been considering the Low Pay Commission’s recommendations on minimum wage rates.

They were widely reported to be considering a range of between £10.90 – £11.43 an hour, as well as looking at the age range the National Minimum Wage related to.

Yesterday (21st November), they announced new rates that will apply from 1st April 2024. And, they represent a big increase; in fact, the largest increase in cash terms that there has ever been. They are particularly large for those workers who are 21 or 22 years old, as the top rate now includes them, rather than starting at the previous age of 23.

So, the new rates are:

  • 21 and over                          – £11.44, up from £10.42
  • 18 – 20                                 – £8.60, up from £7.49
  • 16 to 17 and apprentices   – £6.40, up from £5.28

There will be plenty more news to report from the Autumn Statement today, but this announcement will allow employers to start budgeting for next year.


The guidance provided in this article is just that – guidance. Before taking any action, make sure that you know what you are doing, or call an expert for specific advice. 

A couple of new bits of legislation came onto the statute books over the past few weeks, which are especially relevant to those looking to recruit.

New rehabilitation of offenders rules are aimed at helping more people into work by reducing the time that many offences are notifiable. In other words, how long after their sentence do ex-offenders have to continue to disclose their sentences to a prospective employer.  The other part, which slipped through rather unannounced in September, relates to Right to Work checks, to EU citizens and to the penalties for getting this very important process wrong.

First of all, numerous statistics show the problems that ex-offenders have getting back into employment after their sentences have been served. The new Police, Crime, Sentencing and Court Act 2022 makes some changes.

First of all, it is worth saying that the most serious offences are exempt from these provisions, mainly offences classified as “serious violent, sexual and terrorism offences”. But the main changes are:

  • Those with sentences over 4 years were previously required to disclose their sentence indefinitely. For all but the most serious offences, this requirement now disappears 7 years after they come out on license.
  • For sentences of 2½ – 4 years, the length of time they are required to be disclosed is reduced from 7 to 4 years.
  • Sentences of 1 – 2½ years remain unchanged at 4 years.
  • Those 6 -12 months are reduced from 4 to 1 year.
  • Those up to 6 months from 2 to 1 year.

There are some further requirements around those who reoffend within a certain time, but broadly speaking, these new disclosure requirements are aimed at improving ex-offenders chances of developing a career. Particularly those who have served shorter sentences.

It is also worth remembering that you should not request details of criminal offences unless you have good reason related to the job and employment sector you are asking people to undertake, e.g. education, health and social care.  The whole point of legally requiring ex-offenders to declare unspent convictions is to save most employers having to do this.

With regards to Right to Work legislation, the penalty for getting it wrong has gone up from £45,000 to £60,000 per employee. A significant hike, and it is hoped by the Government to be a significant deterrent.

And, in a very unheralded change, those with EU pre-settled status obtained before 1st July 2021 have now had that status extended automatically by two years. This should potentially give them up to a maximum of 7 years to claim settled status in the UK, which once achieved means, subject to certain conditions, they have indefinite leave to stay and work within the UK.

We have covered this in previous webinars and updates, but a very full guide to right to work checks can be found on the Government’s website here.

If you are in any doubt, we may be able to help you, but remember we are not immigration lawyers but HR specialists. In particularly tricky cases, this is a very specialist area of legal expertise.

Finally, it is important to make sure that right to work checks for all (and DBS checks if so required), make up a key part of completing your selection process, including we would add, the receipt of satisfactory employment references.



The guidance provided in this article is just that – guidance. Before taking any action, make sure that you know what you are doing, or call an expert for specific advice. 

The UK Government has recently passed the Workers (Predictable Terms and Conditions) Bill, and it has received Royal Assent. This Private Members Bill will, in time, grant millions of workers more control over their working hours.

Supported by the Department for Business and Trade, the legislation aims to provide workers, particularly those on zero-hours or atypical contracts, with the right to request more predictable working patterns.  If a worker’s existing working pattern lacks certainty in terms of the number of hours they work, when the hours are worked, or, if they are on a fixed term contract for less than 12 months, they will be able to make a formal application to change their working pattern to make it more predictable.  Once a worker has made their request, their employer will be required to notify them of their decision within one month, a timescale even more exacting than next year’s amended legislation that will require employers to deal with flexible working requests in two months.

This move is part of a broader initiative to improve workers’ rights, including a significant increase in the National Minimum Wage, and enhanced protections for parents and unpaid carers.

The aim of the Act is expected to benefit both workers and businesses by increasing job satisfaction and staff retention. But it will also create uncertainty for a while as both sides and the Courts decide how it will work in practice.

ACAS, the Advisory, Conciliation and Arbitration Service, is developing a Statutory Code of Practice to guide both parties in implementing these new rights. The Act is expected to come into force approximately one year after receiving Royal Assent, allowing employers time to prepare.

Action Points:

  • The new law is expected to come into force in about a year, so employers should consider whether this will affect them and if so, whether they start reducing their over reliance on employing workers on irregular working patterns.
  • Organisations will have to review their current employment contracts and documentation to ensure they comply with the new requirements.
  • Employers need to review the number of workers on atypical contracts, and whether it is likely that moving to more predictable working hours would reduce the number of formal requests they may receive.
  • ACAS is proposing a public consultation on the draft Code of Practice – workers and employers should participate.
  • BackupHR will let our clients know when ACAS publishes this Code of Practice. We can then provide guidance on handling requests.


 The guidance provided in this article is just that – guidance. Before taking any action, make sure that you know what you are doing, or call an expert for specific advice. 

As we mark International Menopause Awareness Month, we are reaching out with a significant update that has emerged from a recent legal case in Leicester – M Rooney v Leicester City Council. This development means that it is essential to make sure Managers understand their responsibilities, and undertake good sickness absence workplace practices.

Key Points:

Case Background:

A social worker with Leicester City Council took extended sickness leave due to menopause symptoms, as well as anxiety and depression, between 2017 and 2018.

Despite disclosing her condition, she received a formal warning about her absences, and subsequently faced adverse comments and treatment related to her symptoms.

This treatment led Ms Rooney to resign in October 2018 and lodge claims against the Council in January 2019.

Landmark Ruling:

The first Employment Tribunal did not accept she was disabled; however, she appealed this decision and, after going backwards and forwards between the Courts, it was ruled in February 2022 that during the times relevant to her claims, Ms Rooney was “disabled” due to her menopause symptoms, combined with stress and anxiety.

Notably, this is the first significant legal decision stating that menopause symptoms can qualify as a disability under the Equality Act 2010, marking an important legal precedent.

Comments from The Equality & Human Rights Commission (EHRC):

The EHRC has backed this case.

Baroness Kishwer Falkner, EHRC Chair, stressed the importance of understanding the impact of menopause symptoms on an individual’s work capacity. She underscored that employers have a responsibility to support such employees, which will benefit both the employee and the wider team.

The full case has now been resubmitted back to an Employment Tribunal to hear this month as to whether Ms Rooney was discriminated against, harassed and victimised by Leicester City Council on the grounds of disability and sex.

Our Recommendation:

In the wake of this decision, it is important that employers ensure they offer the necessary support to employees going through the menopause, and treat staff who are clearly having a difficult time in the same way as any other person with an underlying health condition, including making reasonable adjustments where practical.

Although ACAS suggest employers have a dedicated Menopause Policy, this is actually not necessary for SMEs providing there is a detailed Attendance Policy in place that already identifies the importance of dealing properly with any underlying health condition, which the menopause clearly is, as some of the symptoms can be fairly severe, and can last for quite a few years.  A well written Attendance Policy, such as the one we provide to our clients, can prevent potential legal complications and foster a more inclusive and understanding work environment.




The guidance provided in this article is just that – guidance. Before taking any action, make sure that you know what you are doing, or call an expert for specific advice

COVID changed the face of many workplaces and employer’s attitudes to working from home. Not surprisingly perhaps, as many organisations could not have survived without it during the Pandemic.

And, as we returned to some sort of normality, many have been asking how effective it really is, with a more recent and increasing trend for many employers to start encouraging more people back into the office in an effort to improve efficiency, creativity and team working.  While other employers have been actively incorporating it into their workplace, especially the prevalence of Hybrid Working, a combination of office and home working.

So, the Government wanted the answer to many questions. The UK’s Hybrid Work Commission, in collaboration with the CIPD, has now released a comprehensive report outlining the benefits and challenges of hybrid working. The report emphasises that a well-implemented hybrid work model can lead to increased productivity, better work-life balance, and a more inclusive workforce.

The Government is anxious to capitalise on the rise of hybrid and remote working. To make sure, it sought a wide variety of opinions; it was co-sponsored by various organisations, including CIPD, Indeed, Liverpool John Moore’s University, the Northern Powerhouse Partnership, Prospect, Vodafone, and Zoom.

Not surprisingly the report is inconclusive, and suggests that there’s no one-size-fits-all approach; employers should aim to find a balance that suits both the organisation and its employees.

From an inclusivity standpoint, hybrid working can offer opportunities to those who might otherwise be unable to work, such as individuals with disabilities or caregiving responsibilities. However, it’s crucial to remember that there are many job roles that either cannot be performed remotely, or, it has been found to create operational and team working problems.

Flexible working is not simply about home working, and employers should also consider other forms of flexible working, like flexitime and compressed hours, to benefit all staff.

The report also highlights a perception gap in productivity. While some employers believe remote work enhances productivity, others feel the opposite. Interestingly, these views often depend on the current working model of the organisation.

Lastly, the report calls for the UK Government to introduce a National Remote and Hybrid Work Strategy. It also recommends that employers provide training to Line Managers on managing hybrid teams, and that guidelines be developed to measure productivity in a hybrid environment.

Action Points for Employers:

  • Consult Your Team: Involve employees in discussions to find the most effective hybrid working model for your organisation.
  • Training for Managers: Invest in training programmes that help Line Managers effectively manage hybrid teams.
  • Measure Productivity: Develop meaningful metrics to evaluate the productivity of employees in a hybrid setting.
  • Inclusivity Check: Ensure your hybrid model is inclusive, catering to people with disabilities and caregiving responsibilities.
  • Flexible Options: Apart from remote work, consider offering other flexible working arrangements like flexitime and compressed hours, where feasible.
  • Government Guidelines: Keep an eye on Governmental recommendations and strategies related to hybrid and remote working to stay compliant and maximise benefits.

By implementing these action points, employers can make the most out of hybrid working while ensuring a balanced and inclusive work environment.



The guidance provided in this article is just that – guidance. Before taking any action, make sure that you know what you are doing, or call an expert for specific advice. 

Artificial Intelligence (AI) is rapidly becoming an integral part of many organisations, revolutionising the way they operate. While the technology offers numerous advantages, such as automation and data analysis, it also presents a unique set of challenges never really encountered before.

These challenges employers will face increasingly within the workplace. These are some of the issues it raises in its early days, and some action points you can look at now.

The Challenges

Job Displacement and Redundancy

One of the most significant concerns surrounding AI is job displacement. As AI systems become increasingly sophisticated, they can perform tasks that were once exclusive to humans, leading to job redundancies.

Employee Morale and Perception

Where employees perceive AI as a threat to their job security, it will lead inevitably to decreased morale and productivity.

Ethical Considerations

AI systems, especially those involved in recruitment, can inadvertently perpetuate biases already present in the data they use, leading to unfair and possible discriminatory hiring, promotion and are likely to impact on other HR and employment practices. This will depend on how AI is used and perhaps, more importantly, how it is allowed to make decisions that affect the wider workforce, including its workers, suppliers, contractors.

Data Privacy and Security

AI systems often require vast amounts of data to function effectively. This raises concerns about data privacy, and the potential for breaches. And, how employers control their own staff’s use of the technology, and especially what data they share with AI systems.

Dependence on Technology

Over-reliance on AI can lead to a serious lack of human oversight, potentially resulting in errors or misjudgements that a human would either not have let happen, or not without questioning the resultant outcome.

Skill Gap and Training

The introduction of AI in the workplace necessitates new skills. There might be a gap between the skills employees currently possess and those required to work with AI.

Cost of Implementation

AI systems can be expensive to implement and maintain. Employers must weigh the costs against the benefits carefully.

Legal Implications

The use of AI in HR processes can expose employers to legal risks, especially if the AI system makes a decision that leads to unlawful discrimination.

Six Action Points for Employers

Based on the challenges outlined above, here are six action points for employers:

  • Conduct Ethical Audits: Regularly review and update AI systems to ensure they are free from biases. This will help in maintaining ethical standards in recruitment and other HR processes.
  • Data Protection Compliance: Invest in robust cybersecurity measures, and ensure compliance with data protection laws. This will help to safeguard the organisation against data breaches and legal repercussions.
  • Upskill Employees: Focus on continuous training programmes to prepare employees for the changes that AI will bring, so that fear is replaced with better understanding, greater acceptance and less resistance. This will help in closing the skill gap and making the transition smoother.
  • Transparent Communication: Having decided how within an organisation AI would be beneficial, engage in open dialogue with employees to address their concerns about AI and job security. Transparency is key to maintaining employee morale and productivity.
  • Cost-Benefit Analysis: Thoroughly evaluate the financial implications, including both initial setup and ongoing maintenance costs, of implementing AI. This will help in making informed decisions.
  • Legal Consultation: Consult with professionals to understand any potential legal risks associated with the use of AI in HR processes, and how to mitigate them.


While AI can, and will, present numerous challenges to employers, and indeed HR consultancies, proactive measures and a forward-thinking approach can ensure that employers harness the benefits of AI, while safeguarding their workforce and maintaining ethical standards. By understanding these challenges, and taking the suggested action points into account, employers can navigate the complex landscape of AI effectively.

BackupHR will be discussing this topic at the beginning of our Autumn programme of monthly webinars, starting on Tuesday 19th September, so put this date in the diary, and if you are already on our database look out for the webinar invitation.

Not getting information about our free webinars?  Contact Jackie Bolton on and she will add your details to our database for future invites.



The guidance provided in this article is just that – guidance. Before taking any action, make sure that you know what you are doing, or call an expert for specific advice. 

How can you ensure that your business is doing everything right when it comes to Right to Work Checks?

If you are new to your role of having been given responsibility for the onboarding of new employees, then find out what you need to do here. If you think you already know and can do the checks standing on your head, then treat this as a refresher and hopefully pick up some of our tips and tools to help you along the way.


If you want to employ someone, you need to gain proof of their right to work in the UK – before they start their employment.  You could face a hefty civil penalty if you employ a worker and have not carried out a correct right to work check.

Which checking method should I use?

There a have been quite a few changes for Right to Work checks over the last few years, but essentially you need to carry out one of the following:

  1. a manual right to work check;
  2. a right to work check using Identity Document Validation Technology (IDVT) via the services of an Identity Service Provider (IDSP);
  3. a Home Office online right to work check;

To help you decide which checks to make, this guide will assist you.

UK & Irish citizens can use their passport or passport card to prove their right to work. You can check this manually or using and IDSP.

For nearly all others, you’ll need to check their right to work online.

If you cannot check the applicant’s right to work online using their share code or check the applicant’s original documents use the Home Office Checking Service.

In some circumstances an online check is not possible – Conduct a manual check.

To Do List (A, B or C):

A. Manual Checks

1. Obtain

Gain the original documents from List A or List B of acceptable documents

2. Check

Ensure that the documents are genuine, belong to the person presenting them and that they are allowed to do the type of work you are offering

3. Copy

Make a clear copy of each document in a format which cannot manually be altered and retain the copy securely: electronically or in hardcopy.

B. Identity Document Validation Technology Checks

If you use the services of an IDSP (Identity Service Provider) for digital identity verification, holders of valid British or Irish passports (or Irish passport cards) can demonstrate their right to work using this method.

Remember – There is a cost associated with this type of check – providers can be found here.

C. Online – Home Office Right to Work Checking Service

1. View

Use the Home Office online right to work checking service (the View a job applicant’s right to work details on GOV.UK)

You will need the individual’s share code and their date of birth before you start the online check.

2. Check

Satisfy yourself that any photograph on the online right to work check is that of the individual presenting themselves for work.

3. Copy

Retain a clear copy of the response provided by the online right to work check.

What next?

Record Keeping

Retain a copy of your right to work checks (storing that response securely, electronically or in hardcopy) for the duration of their employment, and for two years afterwards.

You can use our Right to Work Compliance Checklist to record your processes and actions.

Follow Up

If you have correctly carried out your checks, you will have a statutory excuse against liability for a civil penalty if the prospective or existing employee is found working for you illegally. Phew!

However, you need to be aware of the type of excuse you have as this determines how long it lasts for, and if, and when you are required to do a follow-up check.

If the documents that you have checked and copied are from:

  • List A: You do not have to conduct any further checks on this individual.
  • List B group 1: You should carry out a follow-up when the document evidencing their permission to work expires.
  • List B group 2: Carry out a follow-up check when this notice expires six months from the date specified in your Positive Verification Notice.

Useful Links & Documents

The Home Office have now issued a new employers guide on right to work checks, including revised List A and List B documents from 13th March 2023.

Our Employment Details Forms also include the most recent right to work acceptable document lists.

Existing Worker Employment Details Form

New Starter Employment Details Form

We have also put together a Right to Work Checks flowchart which you may also find useful.


Clients are welcome to raise any concerns with their Consultant, who will be pleased to advise you on any element of the issues arising from this newsletter.  Please remember we are NOT immigration specialists as that is a very specific area of law, but right to work checks are a requirement for all employers to undertake as part of an employer’s legal employment statutory duties.

In a bid to further ramp up the pressure on immigration, the Government has substantially increased the penalties for both employers and landlords who, mistakenly or otherwise, hire or rent properties to illegal migrants.

The Home Secretary, Suella Braverman, recently confirmed an amendment in the penalty charges which are both eye-watering and of real significance for employers who are found to have taken on an illegal worker. These will come in next year.

The fine for employers will be increased to £45,000 per illegal worker for the initial breach, a steep rise from the previous £15,000.

For repeat breaches, this amount will escalate further to £60,000, up from £20,000.

The Home Office has also announced forthcoming consultations aimed at strengthening the actions against licensed businesses that employ illegal workers.

The statistics from the past few years are sobering. Since 2018, nearly 5,000 civil penalties have been issued to employers amounting to over £88 million in fines. Landlords too faced over 320 penalties, though the effect is considerably lower, adding up to just £215,500.

The emphasis from the Minister for Immigration, Robert Jenrick, is clear: “There is no excuse for not conducting the appropriate checks, and those in breach will now face significantly tougher penalties.”

As was the case before this, every employer should undertake the necessary checks to ascertain the legitimacy of their hires.

The Government is clearly taking a stance, stating that this policy has a number of aims:

  • Curbing illegal immigration: Illegal working opportunities and housing are significant attractions for migrants. This often becomes the premise used by people smugglers.
  • Ensuring fair competition: Employing illegal workers undercuts legitimate employers, depriving genuine job seekers of work opportunities.
  • Economic impact: Illegitimate hiring evades the tax system, negatively impacting the national economy.

Key Actions for Employers:

  • Revisit Recruitment Procedures: Ensure that your recruitment and vetting processes are stringent, updated, and in line with the new regulations. Above all, make sure proper Right to Work checks are carried out on all new employees.
  • Utilise the Home Office Online System: This check takes just five minutes and is available on the GOV.UK website.
  • Educate your Hiring/HR Team: Ensure that the people who recruit within your organisation are aware of the recent changes, and they know how to correctly carry out the necessary checks, prior to the applicant starting employment. This is key, as it is not uncommon that Line Managers are solely interested in getting new people started as soon as possible, and believe that right to work checks are just a tick box administrative exercise done only when there is time. This is now far from the case.
  • Regularly Audit Existing Employees: Regularly review and update the status of current employees to ensure compliance. It is easy for those with a time limited Right to Work to fall through the cracks. Although, the Government also announced in July, New Immigration Rules confirming that from September 2023, people with pre-settled status under the EU Settlement Scheme (EUSS) will automatically have their status extended by 2 years before it expires, if they have not already obtained settled status.
  • Stay Updated: Keep abreast of upcoming consultations and changes in the law to ensure ongoing compliance, such as the July announcement, as the Immigration rules are being regularly updated.
  • Seek Expertise: Seek advice from experts, and especially on the periodic reviews and audits to ensure that your business remains compliant.

A proper process for ensuring this happens with every new hire is crucial, the penalties are too large to ignore.

If you are in any doubt at all, give us a call. We are not immigration experts, so some questions may need to be referred to others, but our team is here to support you, ensuring that your recruitment process is both effective and compliant.



The guidance provided in this article is just that – guidance. Before taking any action, make sure that you know what you are doing, or call an expert for specific advice. 

Many of us are busy striking items from our ‘Important and Urgent’ to do lists, as holidays approach, or business deadlines loom large. Thankfully, most of us have a degree of planning capability in our work lives, but one thing that we can never predict, is an incident or accident, which by their very nature tend to come out of the blue, meaning we need to drop everything and put on our investigators hat!

Carrying out an effective internal investigation is an often overlooked, but essential skill for Managers, who have to be able to investigate a whole range of issues, anything from discipline or grievance cases, accidents at work, through to customer complaints or quality failings.

Not conducting internal investigations can lead to significant challenges for your business, including potential legal liabilities, a decrease in employee morale due to perceived neglect of grievances, and damage to the Organisation’s reputation. We are in an era where negative news travels fast, and chances to identify and rectify identified systemic issues could be missed.

ACAS provide helpful guidance on how to investigate workplace investigations.  Although their focus is purely on employment matters, their summary of the principle stages is well worth applying.

ACAS 6 Steps to Conducting Workplace Investigations

  1. Decide if an Investigation is Necessary: Not all complaints require a full investigation. Some can be resolved informally.
  2. Plan the Investigation: Determine the scope, which should be proportionate to the allegation. Decide who will conduct it and what resources they’ll need.
  3. Collect the Evidence: This includes documents, CCTV footage, or any other relevant materials. Interviews should be conducted with those involved and any witnesses.
  4. Analyse the Evidence: Consider all the evidence impartially, and decide if it’s sufficient to make a decision.
  5. Write a Report: Document findings, including all evidence, interview transcripts, and a conclusion. This will be crucial for any subsequent steps.
  6. Decide on Action: After the investigation is complete, based on the report, determine if any action, such as disciplinary action, needs to be taken.

As a prelude to further action, which may vary from a customer complaint being upheld, through to commencing a formal disciplinary, dismissal or grievance process with your employees, getting your investigations wrong can have significance consequences.

Our Top Recommendations for Effective & Thorough Investigations

  • Be Impartial and Objective: Investigators should not have any stake in the outcome. Consider third-party investigators if necessary.
  • Maintain Confidentiality: Protect the privacy of all involved parties to the greatest extent possible.
  • Document Thoroughly: Every step, from initial complaints to interviews and findings, should be meticulously recorded.
  • Seek Expert Advice: When in doubt, consult with BackupHR to ensure the investigation is robust and compliant.

Being a good investigator is more of a science than an art and requires a good skills-set of listening and questioning skills, as well as a tenacious ability to get to the truth rather than assume what the outcome is, and then look solely for the evidence to support that theory.

We have given you some useful points to consider in this article, but to ensure you and your Managers are trained and skilled to competently deal with workplace investigations, you may want to consider booking yourself and/or your team onto our upcoming training course on this subject.

Conducting Investigations

Wednesday 18th October 2023 – Quy Mill Hotel & Spa, Quy, Cambridge

Equip your Managers with the principles and practical skills to conduct a thorough and fair investigation with confidence.

Registration and refreshments from 8.00 a.m., with the course commencing at 8.30 a.m. and finishing around 1.30 p.m., Lunch and refreshments provided.

The cost for this course will be £165.00 plus VAT per delegate, including lunch.   Preferential rates for clients

To reserve a place, contact Jackie Bolton, either by e-mail: or call 01480 677981.



Clients are welcome to raise any concerns with our team of Consultants, who will be pleased to advise you on any element of the issues arising from this newsletter.

Recent serious breaches of Data Protection have been reported this week in Northern Ireland and Scotland. In both cases, individuals have been put at risk because of inadvertent human error actions causing personal sensitive confidential data to be released.

The General Data Protection Regulation (GDPR) came into effect on 25th May 2018, with the goal of protecting personal data and upholding individual privacy rights within the European Union. Even with the UK’s exit from the EU, similar legal Data Protection principles have been maintained that employers in England and Wales must comply.

Potential Consequences of a GDPR Breach:

  • Financial Penalties: Non-compliance can result in the ICO imposing fines of up to £17.5 million, or 4% of the organisation’s annual global turnover for a substantial breach, and £8.7 million or 2% for a standard breach, whichever is the higher amount.
  • Reputation Damage: Breaches can lead to a loss of trust among customers and stakeholders, potentially harming long-term business prospects.
  • Legal Challenges: Individuals affected by the breach may seek legal recourse, leading to further financial burdens and negative publicity.
  • Operational Disruption: An investigation into a breach could interrupt daily business operations, causing delays and inefficiencies.

Actions to Take in the Event of a Data Breach:

The first rule, do not panic but do not ignore it, especially if it is a serious breach. Whether it is your customer’s credit card information, or your patient’s personal records, or your employees’ employment details, someone, somewhere can use the leaked information, and not for good.

  • Immediate Containment: Identify and isolate the breach to prevent further unauthorised access or dissemination.
  • Assessment and Documentation: Gather as much information about the breach as possible, including what data was affected, how the breach occurred, and who may be responsible.
  • Notify the Supervisory Authority: In England and Wales, report the breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it, together with an action plan of how you propose to rectify the breach.
  • Inform Affected Individuals: If the breach poses a risk to individuals’ rights and freedoms, notify them promptly and provide guidance on protective measures they can take. If the individuals involved are your own employees, as in the case of the entire Northern Ireland police force, then the consequences and fall out from the breach must be tackled as an immediate priority, as staff are going to be really angry and distrustful. The negative ripple effect on staff morale and retention should not be underestimated.
  • Engage Legal and Forensic Experts: Seek professional advice to ensure that actions align with legal obligations, and gather evidence if needed. This is particularly important when the breach is as a result of IT hacking.
  • Implement Remedial Measures: Strengthen security measures to prevent future breaches, and restore systems to full functionality.
  • Monitor and Analyse Impact: Continuously monitor the affected systems and data to detect any ongoing or secondary threats.
  • Develop a Communication Strategy: Provide clear and accurate information to staff, customers, and stakeholders, and manage the public relations aspect of the breach.
  • Review and Update Policies and Procedures: Analyse the breach to understand underlying weaknesses, and update policies and training accordingly. Again, in the Northern Ireland Police case, why was all of that key staff information on a single Excel spreadsheet? Who had the authority to access that information?  Who authorised putting that spreadsheet onto a website, and if it was down to human error, were there checks in place to make sure that this did not happen?
  • Insure Against Future Risks: Consider investing in cyber liability insurance to mitigate potential financial consequences of future breaches.

The complex nature of data protection and corresponding legislation in England and Wales requires all organisations to take the acquiring, handling, storage and disposal of personal sensitive data very seriously. Investing in robust security measures, staff training, and preparedness planning can mitigate the risks and help organisations navigate the challenging landscape of data protection compliance.

By understanding the dangers of a data protection breach, especially involving your own staff, and following the outlined actions stated above, mean that organisations can not only respond effectively to breaches, but also foster a culture that prioritises data privacy and security so that breaches, whether due to human error, deliberate or criminal, simply do not happen.


The guidance provided in this article is just that – guidance. Before taking any action, make sure that you know what you are doing, or call an expert for specific advice.