Last week, the DBS checking organisation APCS confirmed a data breach affecting the systems of its software contractors. We are aware that many parishes within the Diocese of Guildford have unfortunately been impacted by this breach, and they have been contacted by both us and the APCS with further information. APCS has a processing arrangement with parishes, the Diocesan Board of Finance and other organisations across the country to process DBS checks. APCS works with around 19,000 organisations including 17 dioceses.
The data breach was linked to malicious activity and relates to personal and sensitive information being processed for DBS checks between December 2024 and May 2025.
All affected parishes should have received an email from APCS by now, but they should continue to check emails over the coming days.
Parishes who have received an email from APCS, need to act to notify the Information Commissioner’s Office (ICO) of the breach and contact those whose data has been breached. The APCS will supply you with details of who has been affected, and the Diocesan Team has sent a template on the information to include in both the ICO report and to affected individuals.
Watch this video on how on to report a data breach.
ICO breach report needs to be done within 72 hours of notification or as soon as possible by clicking here.
We know that this news will be concerning to many and cause alarm to the individuals whose data has been compromised. The situation is deeply regrettable, and the Diocesan Team will remain in close contact with parishes and provide support wherever possible.
The Rt Revd Andrew Watson, Bishop of Guildford said:
“I was so sorry to hear about the data breach involving quite so many dioceses and other organisations around the country – and am grateful for the speedy response of our diocesan team at Church House Guildford once we became aware of it. I pray that no significant harm will come from this malicious attack, either for individuals or for our vision of a growing church at the heart of each community; and hugely appreciate the hard work of so many clergy and lay volunteers, and their willingness to go through DBS checking in our quest to become a safer Church. Let’s not let the hackers win!”
Q&A
Do I need to tell the Charity Commission?
Yes. A template and a briefing document drawn up by the Church of England can be downloaded to help with your submission to the Charity Commission.
Serious Incident Reporting to the Charity Commission - Briefing Document
Reporting a Serious Incident to the Charity Commission - Template
Why can’t the Diocesan Team or the national Church of England team submit a blanket breach report to the ICO?
This option has been explored but because the various data controllers (DBF, Bishops’ Office or PCC) are all separate legal entities, we will all need to respond separately.
What do I need to tell people whose data may have been breached?
A specific template has been shared via email with affected parishes, but you need to tell them, in clear and plain language, the nature of the personal data breach and, at least:
- the name and contact details of any data protection officer you have, or other contact point where more information can be obtained (e.g. PSO, PCC Secretary or Incumbent);
- a description of the likely consequences of the personal data breach such as:
- Potential for identity theft
- The possibility of receiving spam emails
- Personal information being sold to third party advertisers
- a description of the measures taken or proposed to deal with the personal data breach (You may need to say that further advice will follow here once you have heard more from APCS).
How can we advise people how to keep themselves safe from identify fraud?
APCS have suggested that everyone should:
- Stay alert to unexpected emails, calls, or letters that mention personal details about you.
- Never give personal information to unsolicited callers, even if they seem to know details about you.
- Verify any unexpected contact by calling the organisation directly using their official number.
Also:
Monitor for new applications made in your name:
- Check your credit report (free from Experian 0800 013 8888, Equifax 0800 014 2955, or TransUnion 0330 024 7574). You can also download an app to help you monitor this.
- Look for any new accounts, credit searches, or applications you didn't make.
Optional additional protection: · CIFAS Protective Registration (£30 for 2 years at cifas.org.uk) adds extra identity verification checks for new credit applications - only consider this if you're particularly concerned.
The ICO also recommends that you advise individuals on the steps they can take to protect themselves, such as:
- re-set passwords;
- always use strong, unique passwords; and
- look out for phishing emails or fraudulent activity on their accounts.
Further information on support and advice on protecting your data can be found in this template.
Report suspicious activity:
If someone in your parish notices any unusual activity or applications they didn't make: ·
- Report it to Action Fraud: 0300 123 2040 or visit www.actionfraud.police.uk
- Keep records of any suspicious contact or activity.
What can the Church of England do to help parishes?
The Church of England is in urgent contact with APCS and is looking for ways to support parishes. The National Church Institutions are offering 12 months of free credit and web monitoring services, provided by Experian, to individuals within the Church of England affected by the breach. The Experian Identity Plus account helps detect possible misuse of personal data and provides people with identity monitoring support, focussed on the identification and resolution of identity theft. Access codes will be made available to dioceses to distribute. As soon as we receive these codes, we will update parishes.
What next?
If you need any further support from the diocese, do email data.protection@cofeguildford.org.uk
The Information Commissioner’s Office is very keen for parishes to contact their free advice service in order to benefit from their expert support and advice on this number - 0303 123 1113