Document with data fragments representing paper-based data breaches
Offline Data Breaches

Between 2020 and 2025, the Information Commissioner’s Office recorded 11,141 data breaches linked to paper records being lost, stolen, or incorrectly disposed of. The figures, drawn from ICO incident trend data and analysed by document management firm Officeology, suggest that physical document handling remains a persistent vulnerability even as organisations pour resources into digital security.

Employee data featured prominently. Nearly one in five incidents (2,103 cases) involved staff records, including personal identifiers, health information, and financial details. In 2025 alone, 330 of the 1,820 paperwork-related breaches concerned employee data, potentially affecting up to 28,000 workers based on the size of the organisations involved.

Reporting deadlines routinely missed

UK GDPR requires organisations to notify the ICO within 72 hours of discovering a breach, but in 2025 that deadline was missed in 41% of cases. In 399 incidents, it took a week or more for the ICO to be alerted.

The most commonly exposed data types are basic personal identifiers (name, address, date of birth), accounting for 39% of 2025 incidents, followed by health data at 23%.

Enforcement remains rare

Despite the volume, formal enforcement remains rare. Fewer than 5% of paperwork breaches between 2020 and 2025 led to a formal ICO investigation. In 2025, just 12 were referred to investigation teams, down from 55 the previous year. The ICO opted for guidance and advice in 1,429 cases.

While cybersecurity dominates the news, physical theft, loss or the incorrect disposal of paper records remains a significant risk. GDPR is technology-neutral, meaning offline data handling carries the same legal and security obligations as digital systems.

Adam Butler, CEO, Officeology

The consistency of the breach numbers across five years is notable. Despite widespread digital transformation programmes, paper-based incidents have not declined, suggesting that many organisations have tightened their firewalls while leaving filing cabinets, print rooms, and disposal processes largely unaddressed.

More Articles

UK factory production line with AI robotic arms and sensors

Five Things UK Manufacturers Got Wrong When They First Tried AI on the Production Line

Andrew McLean
Cybersecurity data protection with glowing blue digital shield

What the NCSC Actually Says About Using ChatGPT and Copilot With Sensitive Business Data

Kate Bennett
AI customer support chatbot with holographic chat interface

How to Automate Customer Support With AI for a UK E-Commerce Business Using Freshdesk or Zendesk

Kate Bennett
Person coding on laptop in creative workspace with blue lighting

Vibe Coding With Cursor AI and Replit Agent — What a UK Business Owner With No Dev Skills Needs to Know Before Building an App

Andrew McLean

More News

CMA Launches Strategic Market Status Investigation into Microsoft's Cloud Ecosystem

8 April 2026

Diagnoly Brings Fetal Ultrasound AI to iOS as Global Deployment Passes 20 Countries

8 April 2026

Half of UK IT Teams Regularly Diverted by Routine Tech Problems, TOPdesk Survey Finds

7 April 2026