We have been made aware that our DBS administrator, APCS has encountered a data breach. This data was accessed from an external software contractor to APCS and not from our own systems which remain secure. This breach is affecting several dioceses across the country.
APCS has informed us that information accessed could include names, contact details, national insurance numbers and passport details. Only text information was affected - no documents, images, passwords, or financial details were accessed. It relates to DBS applications made between December 2024 and early May 2025.
Because PCCs are separate data controllers, PCCs have a responsibility to manage data breaches. We understand that APCS should be advising data controllers of individuals affected. We have sought legal advice on this situation and have shared this below in order to assist you:
- Please contact APCS directly to request an update on their investigation and to understand the extent to which individuals in your PCC may have been affected. They can be contacted on enquiries@accesspcs.co.uk and on 0343 611 2727.
If APCS confirms that the data breach affects individuals in your PCC, you should take the following steps:
- Consider whether the data breach is likely to result in a high risk of harm to those individuals (such as identity theft where passport, driving licence or national insurance information etc. has been accessed) and if so, the data breach should have been reported to the ICO using this link within 72 hours of notification.
- Consider whether to inform those individuals impacted about the breach that their personal information has been compromised – there is helpful information on the National Cyber Security Centre about this - Data breach guidance for individuals - NCSC.GOV.UK
- Keep a record of the data breach including any updates from APCS as when further details about the incident become available.
Responding to the data breach, the Right Reverend Mark Wroe, Bishop of Berwick, commented: "I have been dismayed to learn of the APCS Data Breach which is affecting our diocese and a number of other dioceses across the country at the moment. Our personal data is hugely precious and it is deeply concerning when our trust is undermined in this kind of way. I am hugely grateful to our team at Church House who have responded so quickly and carefully to the breach and are passing on information and updates as speedily as possible so that parishes are kept up to date with this fast-moving situation and receive the best advice which is being shared nationally. Thank you to everyone dealing with this on behalf of their PCCs for your gracious and kind responses at this anxious time. My prayers are with all those who are affected, whether volunteers in parishes, postholders or our own diocesan staff."
What we, as a Diocese, have done:
- The incident has been reported to the Information Commissioner's Office
- APCS have confirmed that all affected systems have been secured and additional protections implemented
- We are monitoring the situation and will update you if we learn of any specific threats
Recommended precautions:
- Stay alert to unexpected emails, calls, or letters that mention personal details about you
- Never give personal information to unsolicited callers, even if they seem to know details about you
- Verify any unexpected contact by calling the organisation directly using their official number