Home     Safeguarding    News, Jobs and Calendar     Parish Support    Contact us

Home > Parish support > Privacy and Data Protection > Data Protection and GDPR

APCS Data Breach

Please note: This page will be continually updated as new information becomes available.

 

Access Personal Checking Services Ltd (APCS) Data Breach

We have been notified of a data breach that has occurred involving personal data processed by Access Personal Checking Services Ltd (APCS), acting as the data processor for those using APCS for Disclosure and Barring Service (DBS) applications.  In addition to many parishes across the Church of England, the breach has also affected a number of separate Dioceses and also the National Church institutions (NCIs), all of whom also use APCS.

Please note that the Church of England central systems and Diocesan Information Technology (I.T.) systems have not been hacked, and those respective networks are unaffected by this data breach.

APCS has provided some details of the breach, including the nature of the incident and the types of personal data involved. We are expecting further details will be provided as the investigation progresses.  If your parish has received an email from APCS, then you need to act to notify the breach to the Information Commissioner’s Office. You also need to contact those whose data may have been affected by the breach. 

If you haven’t received an email from APCS, then you are unlikely to have been affected, though you should continue to check for emails from them over the coming days.

Diocesan initial response

  • On 26 August 2025 the Ely Diocesan Board of Finance (EDBF) lodged a data breach report with the Information Commissioner's Office (ICO).
  • Between 26–27 August, the Safeguarding Team forwarded APCS notification emails to affected parishes. These were sent to Parish Safeguarding Officers (PSOs), or an alternative parish leader where no PSO was in post.

Responsibilities as a data controller

  • Parishes are usually considered a data controller for the personal data of individuals requiring a DBS check for their role in parish activities.
  • Affected parishes (i.e. those notified by APCS) are required to report the breach directly to the ICO, other third parties, including the EDBF, are not able to do this on a parishes behalf.
  • Under UK GDPR (General Data Protection Regulation), breaches that are likely to result in a risk to the rights and freedoms of individuals, which this qualifies, must be reported within 72 hours of the parish becoming aware of the breach (and if not, explanation must be provided as to why there was a delay). The Diocese cannot do this on your behalf.

Notifying the Information Commissioner's Office (ICO)

  • Where Parishes are the data controller, they need to report the data breach to the ICO without delay.
  • The NCIs have provided a sample breach report, which the EDBF also used and circulated to affected parishes. Affected parishes may adapt this when submitting their own report to the ICO.
  • An NCI Example Breach report to the ICO has been issued to all affected parishes
  • Report a breach to the ICO - ICO breach reporting form: Report a personal data breach (click here)

Notifying affected individuals

  • Affected parishes should have received a list of affected individuals for their parish and a template notification letter from APCS. Parishes should adapt this letter to notify those affected in their parish.
  • The Church of England has also produced an alternative template guidance to inform affected data subjects which you may wish to use in preference – click here
  • Keep a record of all communications sent and actions taken. You may need to update individuals if APCS issues further information.

Informing the Charity Commission

On the 28 August 2025, the NCIs, having been in communication with the Charity Commission, were informed that due to the large number of Serious Incident Reports the Charity Commission have received on this data breach, trustees in PCCs and diocesan boards of finance DO NOT need to report it to the Charity Commission "if in substance they simply wish to report the same incident in materially similar terms".

Below are the guidance documents produced by the NCIs, in the event that locally it is felt that you would still wish to submit a report. If you have any questions are submitting a report to the Charity Commission, please consult the Diocesan Registrar (click here)

DBS checks going forward

The National Church has advised dioceses to pause all new DBS checks with APCS until further notice. If you are due to verify someone’s check, please do not proceed and please ignore reminder emails. Please advise your parish verifiers not to verify any checks. 

The Safeguarding Team (click here) will liaise with parishes as this advice develops.

Support for those affected

Immediate support for affected individuals will include 12 months of free Experian Identity Plus credit and web monitoring which will include monitoring of identity misuse and support with resolution.

Access codes will be distributed to dioceses shortly and shared with affected parishes. (Note: The Diocese of Ely expects to be able to circulate these codes during the week commencing 1st September 2025)

The NCIs remain in urgent contact with APCS to establish what further information is available

Advice for individuals

The ICO recommends (click here) that affected individuals of a data breach take the following steps:

What next?

  • The ICO encourages parishes to call their free advice line for tailored support: 0303 123 1113
  • The Diocese will continue to update affected parishes as new information becomes available. For diocesan support on this matter, email privacy@elydiocese.org or contact the Safeguarding Team on matters of DBS checks at safeguardadmin@elydiocese.org

Further Resources

 

 

 

Frequently Asked Questions (FAQs)

The following Frequently Asked Questions (FAQs) seek to provide answers to many of the questions you might have about the data breach. As we learn more, we will update this section accordingly.

APCS has also published their own set of FAQs, which you might find helpful - (Click here https://criminalrecordchecks.co.uk/security-updates/)

Last Updated: 5 September 2025

About the breach

What has happened?

  • We have been notified that one of the suppliers of Access Personal Checking Services Ltd (APCS) has been subject to a significant data breach. APCS carries out Disclosure and Barring Services (DBS) checks on behalf of the National Church Institutions (NCIs), some Dioceses and Parochial Church Council (PCCs). The breach has affected clergy, lay ministers, volunteers, PCC members and staff.

Who has it affected?

  • This breach has impacted people across the Church who have been subject to a recent DBS check. APCS carries out DBS checks on behalf of some Dioceses and PCCs, and the NCIs.

Who are APCS and what do they do?

  • APCS specialise in processing disclosures for individuals and small business owners, large public and private sector companies, organisations, and recruitment agencies.

When did this happen?

  • APCS have stated that their external software supplier, Intradev, notified them on 17 August that their system had been compromised between the 31 July 2025 and 15 August 2025, and certain files containing personal details were copied. APCS were provided with copies of the compromised data on Monday 18 August. APCS’ own network and servers were not compromised. From initial assessments made by APCS, the data that is affected is from 1 December 2024 to 9 May 2025.

Have other organisations outside of the CofE been affected?

  • Yes. APCS provides Disclosure and Barring Services (DBS) to many organisations. This breach also impacts those bodies.

How confident are we that only those notified have been affected?

  • APCS have started the process of notifying those individuals affected by the breach. APCS have said that the breach only affects those individuals who were subject to a DBS check between the 1 December 2024 to 9 May 2025, but this is a moving situation, and we will keep you updated as we receive more information. [Note: Some Parishes have informed us that individuals in their parish have been listed as affected, despite not having a DBS check during the period outlined].

Is this data breach connected to the data incident involving the independent Redress Scheme?

  • No. The two incidents are unconnected.

What personal information has been leaked?

We are waiting for more details from APCS. We understand that the breach may have affected some or all the following information:

  • Name, phone number, date of birth, email address, address, place of birth, National Insurance number, passport number, driving licence number.

It does not include:

  • Medical information, information on any disclosures, information about your protected characteristics e.g., ethnicity, disability, sexual orientation, marital status.

The information that was accessed was in text format only. No documents, images, passwords, or financial details were affected.

What is the Diocese of Ely doing?

  • Parishes affected by the data breach have been contacted with advice and support.
  • Support for affected individuals includes 12 months free access to a credit checking and monitoring service from Experian. The Diocese of Ely will be sharing details for how all affected individuals will be able to access this resource during the week commencing 1 September 2025.
  • All DBS checks with APCS have been paused until further notice. Further information on this will be circulated by the Safeguarding team ASAP.
  • This incident has been reported by the Ely Diocesan Board of Finance (EDBF) to the Information Commissioner's Office (ICO).

Reporting the breach and data Protection

Do PCCs need to report the incident to the ICO?

  • Yes. The Ely Diocesan Board of Finance (EDBF) has advised all affected parishes that PCCs should report separately to the ICO if they have staff or volunteers affected by the breach, irrespective of whether or not the EDBF may have provided administrative support in the process.
  • Parishes are responsible for identifying all staff, volunteers and PCC members who are required to undertake a DBS check by virtue of their role in the Parish. The EDBF frequently supports parishes through this identification process, as well as with any administrative tasks that support this undertaking, but parishes remain responsible for ensuring their duties are met, which includes the notification and support for those in their parishes who have been affected by this breach. The EDBF has and will continue to provide as much support as it is able to.

Who is responsible for reporting a breach to the ICO?

  • Only the data controller is responsible for reporting a high-risk data breach to the ICO. A high-risk data breach is one which has a significant effect on the rights and freedoms of data subjects. This APCS breach would count as being ‘high risk’.  All parties are accountable for taking steps to mitigate the effects of the breach where possible.
  • If the data breach is caused by the processor, as has been the case by the APCS, it is they (the data processor) that must implement technical and organisational measures to assist the controller to deal with the breach, and is responsible for their own failures or those of their sub-processors. However, the ICO can investigate all parties involved to ensure they have met their obligations appropriately.

Do we need to report this incident to the Charity Commission?

  • The Charity Commission have informed the National Church Institutions that due to the large number of Serious Incident Reports they have received on this, trustees in PCCs and diocesan boards of finance do not need to report to the Charity Commission "if in substance they simply wish to report the same incident in materially similar terms".

I would like to request that any data held by APCS on me is deleted under GDPR. How do I go about this?

Support for people affected

What support is available for those who have been affected?

  • Access to a credit checking and monitoring service from Experian is being made available for 12 months for those affected. If you have been affected by this data breach and you have not received a code to access your Experian Identity Plus account, please contact privacy@elydiocese.org.
  • More information about the service available from Experian is contained within the sections below. Advice about what additional steps you can take, and the resources available to help protect you from fraud, are also included in these FAQs.

Who can I contact about the data breach?

What if your passport and driving licence details have been accessed, should you apply for new ones?

  • APCS (Access Personal Checking Services) have confirmed to all affected parties that no images of passports or driving licences were compromised in this incident.
  • Current UK government guidance would seem to indicate:
  • We regret that we are not in a position to advise affected individuals on whether they should replace these documents. If further clarifying guidance is issued by HM Passport Office, the DVLA, or other UK authorities, we will update these FAQs.

If I lose money, incur costs to replace bank/ID cards, or my credit file is affected due to this fraud, will I be compensated?

  • This is a complex situation and discussions around liability and redress are still ongoing. The data breach is at an early stage and both APCS and their third party partner are actively investigating the incident and providing daily updates. Full forensic details are needed to establish the cause and extent of the breach before questions of compensation can be determined.
  • The Ely Diocesan Board of Finance (EDBF), along with other affected Boards of Finance and the National Church Institutions, is working closely with advisers and coordinating information sharing to support those affected. We will provide further updates as soon as more is known.
  • In the meantime, if you decide to replace documents or incur any costs, please keep all receipts and records. These may be needed should a claims process be established.

What support will I be offered if my data is used maliciously through this breach? For instance if someone uses the data to create a new payment from my bank account or creates a credit agreement that negatively affects my credit file?

  • We are encouraging all colleagues who are potentially affected by this to sign up to the Experian service. This service, provided for 12 months, will help you to keep an eye out for any changes that suggest someone is using your data improperly – for instance, you will get an alert if someone sets up a new credit agreement. If you become the victim of fraud, you will be offered help through Experian’s caseworker service to get back on track and sort out your credit file.
  • In addition, you should look out for any unwanted calls, emails or contact to you directly, including monitoring your bank account. You might find it helpful to talk to your bank now to let them know of the situation. Some are able to put in place additional identification verification checks for making/setting up payments, to help keep your money safe.

What can I do to protect myself from fraud?

  • Stay alert to unexpected emails, calls, or letters that mention personal details about you
  • Never give personal information to unsolicited callers, even if they seem to know details about you
  • Verify any unexpected contact by calling the organisation directly using their official number
  • Monitor for new applications made in your name:
  • Check your credit report – see below for information about the service that will be available to you from Experian shortly.
  • Look for any new accounts, credit searches, or applications you did not make.
  • Inform your bank, building society and credit card company of any unusual transactions on your statement.

Links and contact numbers

Action Fraud

GOV.UK

Financial Ombudsman Service

General advice

To report the theft or loss of post

Experian Identity Plus

Who can I speak to about getting an access code for the credit check and web monitoring service from Experian?

What does the Experian Identity Plus account provide?

Features of the Experian Identity Plus account includes:

Daily Experian Fraud Report

  • If you log in, you can get your daily Experian Fraud Report. This details key information from your Experian Credit Report that may help you identify fraudulent activity on your credit report.

Alerts provided as part of the service

  • Alerts will be provided by email and/or SMS, depending on your settings and features availability.

Experian fraud alerts

  • Get alerts by email and/or text message about certain changes to your Experian Fraud Report. Alerts relate to when accounts are opened or closed, or when your credit report is searched. Some of our credit alerts may be sent in real-time to notify of certain changes when they happen, others are sent weekly.

Experian CreditLock alerts

  • Experian will let you know when your Experian credit file is searched and if your credit file was locked. For any applications that are blocked you will be sent a message by email and/or text to make you aware.

CreditLock

  • Experian CreditLock is designed to reduce fraudulent credit applications. Locking your Experian Credit Report will help to block new fraudulent credit applications made in your name, using your information from the Experian Credit Bureau.

Web monitoring

  • Experian will help you better protect your identity by scanning certain internet sites and locations for selected personal and financial details and alerting you by email or text message if anything looks wrong or fraudulent. Alerts are sent every day that we find suspicious information. Web monitoring is designed to work alongside taking a cautious approach to your sharing of data and use of the internet and other digital services.

Read this guide to Identity Plus for more details (https://www.experian.co.uk/consumer/product-factsheets/Identitypluspartneraug2019.pdf)

How do I read my credit report? I have never had one before

If you are not sure where to start, take a look at this guide from Experian:

  • www.experian.co.uk/consumer/experian-credit-report.html  
  • Your credit report has different sections. For instance, it will show information about you, any credit agreements you have (e.g. your mortgage or with a phone company), your financial connections (e.g. spouses/partners), and details of any missed/overdue payments on credit agreements.

What happens beyond 12 months with the Experian service?

  • At the end of the 12-month period the individuals will get an email to say their subscription is coming to an end and the options available to them.

How up to date is Experian? For instance, if someone set up a credit agreement today, would they tell me today?

  • You will be offered daily alerts as to whether something has changed within your credit report. The subscription also allows you to lock your Experian credit report to help stop fraudsters taking out agreements in your name.

I have been advised to use CIFAS as well. Is this necessary?

  • Experian is a member of CIFAS (Credit Industry Fraud Avoidance System) and can access data related to confirmed fraud cases. CIFAS focuses on fraud prevention; Experian offers identity verification and fraud prevention.

I already have an Experian account, or I have used Experian in the past. What should I do?

  • If when you log into Experian using the code we have given you, and you are using your personal email address, you may be told that you already have an account under that username. In this case either continue to use your existing account if you are still paying for it and let us know that you do not need the code or create a new account using a different email address.
  • If you need further assistance, please call the Experian support line on 03444 818182.

Experian asks for a lot of personal data, should I be giving this to them

  • When you create the account, you will be asked for your email address as a username, you should use your own personal email account because reports from Experian contain your own personal financial information which should not be held in a work email inbox (see above).
  • You may be asked for date of birth and address so that Experian can identify you, and they may ask you for additional data, for example, your mother’s name as an additional security check.
  • They will already know some of your financial arrangements e.g. mortgage information and bank account details etc, or other financial arrangements where you have had to get a credit check, and they will ask you to confirm these.
  • They need these details to ensure that they monitor all your financial arrangements, however, they also collect data for marketing purposes.
  • You should read their Privacy Notice here - Experian Consumer Privacy Policy (https://www.experian.co.uk/consumer/privacy.html)
  • To opt out of marketing click here - Opt out by marketing channel and industry sector - Experian Consumer Information Portal (https://www.experianmarketingservices.digital/OptOut)

Other / general

I have been approached by a journalist to ask me about the breach. What do I do?

  • It is up to the individual parishes of affected parties about how they wish to respond.
Page last updated: Friday 12th September 2025 4:08 AM
Powered by Church Edit