APCS Data Breach
We have been notified of a data breach that has occurred involving personal data processed by Access Personal Checking Services Ltd (APCS), acting as the data processor for those using APCS for DBS applications. In addition to many parishes across the Church of England, the breach has also affected a number of separate Dioceses and also the NCIs, all of whom also use APCS.
Please note that the Church of England central systems and diocesan IT systems have not been hacked, and those respective networks are unaffected by this data breach.
APCS has provided some details of the breach, including the nature of the incident and the types of personal data involved. We are expecting further details will be provided as the investigation progresses. If your parish has received an email from APCS, then you need to act to notify the breach to the Information Commissioner’s Office. You also need to contact those whose data may have been affected by the breach.
If you haven’t received an email from APCS, then you are unlikely to have been affected, though you should continue to check for emails from them over the coming days.
Diocesan initial response
- On 26 August 2025 the EDBF lodged a data breach report with the ICO.
- Between 26–27 August, the Safeguarding Team forwarded APCS notification emails to affected parishes. These were sent to Parish Safeguarding Officers (PSOs), or an alternative parish leader where no PSO was in post.
Further Information
For further information regarding this matter, please visit the Data Protection pages pf the Diocesan website here - https://www.elydiocese.org/parish-support/privacy-and-data-protection/data-protection-and-gdpr/apcs-data-breach.php