News | Safeguarding |  Vacancies |  Documents | Events and Training |  Find a Church Contact Us

Home > Support for parishes  > Communications > News and Media

APCS Data Breach

Many parishes in the Diocese of Salisbury, and in other dioceses (along with thousands of other organisations) have been contacted by APCS about a data breach. A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In this case, a third party supplier to APCS were subject to unauthorised access and files relating to personal data were copied from their systems during a recent cyber-attack. Investigations into this are still ongoing.

APCS has a processing arrangement with parishes, the DBF and many other organisations across the country to process DBS checks. If your parish has received an email from APCS, then you need to act to notify the breach to the Information Commissioner’s Office. You also need to contact those whose data may have breached. The APCS will supply you with details of who has been affected. 

If you haven’t received an email from APCS, then you are unlikely to have been affected, though you should continue to check for emails from them over the coming days. 

Watch this video to find out how to report the breach. This needs to be done as soon as possible by clicking here.

Do I need to tell the Charity Commission? 

UPDATE: The Charity Commission has informed the Church of England that due to the large number of Serious Incident Reports they have received on this, trustees in PCCs and diocesan boards of finance do not need to report to the Charity Commission "if in substance they simply wish to report the same incident in materially similar terms".

If your parish does still choose to do this, a. template and a briefing document drawn up by the Church of England can be downloaded to help with your submission .

Serious Incident Reporting to the Charity Commission - Briefing Document

Reporting a Serious Incident to the Charity Commission - Template

What do I need to tell people whose data may have been breached? 

You need to tell them, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of any data protection officer you have, or other contact point where more information can be obtained (eg PSO, PCC Secretary or Incumbent); 

  • a description of the likely consequences of the personal data breach such as: 

    •  the possibility of receiving spam emails 

    • Emotional and reputational harm 

    • Personal information being sold to 3rd party advertisers 

    •  Potential for identity theft

  • If you are not sure what to add to your report please use any one or all of the above since they are real examples of potential consequences for a breach like this. 

  • a description of the measures taken or proposed to deal with the personal data breach (You may need to say that further advice will follow here once you have heard more from APCS) 

The ICO recommends that you advise individuals on the steps they can take to protect themselves, such as: 

  • reset passwords; 
  • always use strong, unique passwords; and
  • look out for phishing emails or fraudulent activity on their accounts.

DBS Checks going forward  

In line with the national church, we have paused the processing of DBS checks via APCS until further notice. We will issue more guidance on this as we receive information from the national church and/or we have assurances regarding checks with APCS. If you are due to verify someone’s check, please do not proceed and ignore reminder emails. Please advise your parish verifiers to not verify any checks. However, parishes who have already signed up with the new provider Thirtyone:Eight can progress with these checks. 

What can the Church of England do to help parishes? 

The Church of England is in urgent contact with APCS and is looking for ways to support parishes, including providing support from a service that offers credit and web monitoring to help protect victims from identity theft. A separate email will be sent to those affected who are eligible to apply for free access to the service for 12 months.

What Information am I receiving from the DBF? 

DBF are currently providing support and guidance related to the APCS data breach. The information you receive depends on your role and how you have been affected: 

  • For Parishes (Data Controllers): If individuals in your parish have been impacted by the APCS breach, we are supporting you with the necessary steps to respond. If you are an incumbent, churchwarden, or Parish Safeguarding Officer (PSO), you will have received—or will soon receive—guidance from us. This includes how to: report the breach to the Information Commissioner's Office (ICO) and support individuals affected within your parish 
  • For Individuals affected by the breach: If your personal data was compromised in the breach—and the Diocese Board of Finance (DBF) is the data controller, as in some cases—you will have received, or will shortly receive, direct communication from us. As the data controller in this instance, the Diocese is taking appropriate steps to support and advise you. 

What next? 

We have set up a dedicated email APCSbreach@salisbury.anglican.org. for affected parishes, but most queries should be directed to the Information Commissioners Office. The Diocesan office team has no more information than is contained on this page and will keep it updated as we learn more from APCS.

The ICO is keen for parishes to contact their free advice service in order to benefit from their expert support and advice on this number - 0303 123 1113 

 

Powered by Church Edit