The ICO suggests that organisations should consider reporting breaches via telephone, particularly where the data controller needs to obtain advice from the ICO. Issues can then be explored, and reassurance and advice dispensed, at the time of the call.
While there can be benefits to telephone reporting, particularly where a data controller needs urgent guidance, organisations should remain aware of the potential for regulatory enforcement action. Care should be taken that any information provided to the regulator is accurate, and data controllers should avoid making unqualified admissions of fault until they are clear as to their factual and legal position.
It should also be noted that the ICO does not distinguish between formal and informal reports: as soon as a data controller tells the ICO about a breach, it will be recorded and dealt with in the same way. Data controllers may want to consider seeking advice from other sources, where appropriate, or approaching the regulator on a “no names” basis in the first instance.