The Data Security and Protection Toolkit includes a tool for reporting data security incidents to the Information Commissioner's Office, the Department of Health and Social Care and NHS England. 

Organisation administrators must notify a breach of personal data within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, organisations must also inform those individuals without undue delay.

If you require immediate advice and guidance related to a cyber security incident, please contact the NHS Digital Data Security Centre on: 0300 303 5222.

Further guidance on the legal mandate, what constitutes a breach and examples is available.