Home     Safeguarding    News, Jobs and Calendar     Parish Support    Contact us

Home > Parish support > Privacy and Data Protection > Data Protection and GDPR

APCS Data Breach

Please note: This page will be continually updated as new information becomes available.

 

APCS Data Breach

We have been notified of a data breach that has occurred involving personal data processed by Access Personal Checking Services Ltd (APCS), acting as the data processor for those using APCS for DBS applications.  In addition to many parishes across the Church of England, the breach has also affected a number of separate Dioceses and also the NCIs, all of whom also use APCS.

Please note that the Church of England central systems and diocesan IT systems have not been hacked, and those respective networks are unaffected by this data breach.

APCS has provided some details of the breach, including the nature of the incident and the types of personal data involved. We are expecting further details will be provided as the investigation progresses.  If your parish has received an email from APCS, then you need to act to notify the breach to the Information Commissioner’s Office. You also need to contact those whose data may have been affected by the breach. 

If you haven’t received an email from APCS, then you are unlikely to have been affected, though you should continue to check for emails from them over the coming days.

Diocesan initial response

  • On 26 August 2025 the EDBF lodged a data breach report with the ICO.
  • Between 26–27 August, the Safeguarding Team forwarded APCS notification emails to affected parishes. These were sent to Parish Safeguarding Officers (PSOs), or an alternative parish leader where no PSO was in post.

Responsibilities as a data controller

  • Parishes are usually considered a data controller for the personal data of individuals requiring a DBS check for their role in parish activities.
  • Affected parishes (i.e. those notified by APCS) are required to report the breach directly to the ICO, other third parties, including the EDBF, are not able to do this on a parishes behalf.
  • Under UK GDPR, breaches that are likely to result in a risk to the rights and freedoms of individuals, which this qualifies, must be reported within 72 hours of the parish becoming aware of the breach (and if not, explanation must be provided as to why there was a delay). The Diocese cannot do this on your behalf.

Notifying the Information Commissioners Office (ICO)

  • Where Parishes are the data controller, they need to report the data breach to the ICO without delay.
  • The NCIs have provided a sample breach report, which the EDBF also used and circulated to affected parishes. Affected parishes may adapt this when submitting their own report to the ICO.
  • An NCI Example Breach report to the ICO has been issued to all affected parishes
  • Report a breach to the ICO - ICO breach reporting form: Report a personal data breach (click here)

Notifying affected individuals

  • Affected parishes should have received a list of affected individuals for their parish and a template notification letter from APCS. Parishes should adapt this letter to notify those affected in their parish.
  • The Church of England has also produced an alternative template guidance to inform affected data subjects which you may wish to use in preference – click here
  • Keep a record of all communications sent and actions taken. You may need to update individuals if APCS issues further information.

Informing the Charity Commission

On the 28/08/20225, the NCIs, having been in communication with the Charity Commission, were informed that due to the large number of Serious Incident Reports the Charity Commission have received on this data breach, trustees in PCCs and diocesan boards of finance DO NOT need to report it to the Charity Commission "if in substance they simply wish to report the same incident in materially similar terms".

Below are the guidance documents produced by the NCIs, in the event that locally it is felt that you would still wish to submit a report. If you have any questions are submitting a report to the Charity Commission, please consult the Diocesan Registrar (click here)

DBS checks going forward

The National Church has advised dioceses to pause all new DBS checks with APCS until further notice. If you are due to verify someone’s check, please do not proceed and please ignore reminder emails. Please advise your parish verifiers not to verify any checks. 

The Safeguarding Team (click here) will liaise with parishes as this advice develops.

Support for those affected

Immediate support for affected individuals will include 12 months of free Experian Identity Plus credit and web monitoring which will include monitoring of identity misuse and support with resolution.

Access codes will be distributed to dioceses shortly and shared with affected parishes. (Note: The Diocese of Ely expects to be able to circulate these codes during the week commencing 1st September 2025)

The NCIs remain in urgent contact with APCS to establish what further information is available

Advice for individuals

The ICO recommends (click here) that affected individuals of a data breach take the following steps:

What next?

  • The ICO encourages parishes to call their free advice line for tailored support: 0303 123 1113
  • The Diocese will continue to update affected parishes as new information becomes available. For diocesan support on this matter, email privacy@elydiocese.org or contact the Safeguarding Team on matters of DBS checks at safeguardadmin@elydiocese.org

Further Resources

Page last updated: Friday 29th August 2025 6:17 AM
Powered by Church Edit