Paperwork breaches hit 11,141 in UK over five years

Paperwork-related data breaches reported to the Information Commissioner’s Office totalled 11,141 between 2020 and 2025, according to an Officeology analysis. Of those, 2,103 involved employee data.

The figures point to a persistent stream of non-digital breaches at a time when many organisations have focused security spending on cyber threats. Officeology’s review of ICO incident data found that the breaches involved paperwork being lost, stolen or disposed of incorrectly.

In 2025 alone, 1,820 paperwork-related breaches were reported to the regulator, the analysis found. Of those, 330 incidents, or 18%, involved employee data, including personal identifiers, health and financial information.

Based on the size of organisations that recorded those incidents, as many as 28,000 employees could have been affected in 2025. The estimate underscores the continued exposure created by paper records in workplaces that may otherwise have moved much of their operations online.

Reporting Delays

The review also examined how quickly organisations reported paperwork breaches to the ICO. Under UK GDPR rules, personal data breaches must be reported within 72 hours of an organisation becoming aware of them.

In 2025, that deadline was missed in 41% of paperwork cases. In 399 incidents, organisations took one week or more to alert the ICO, while in 351 cases reporting took between 72 hours and one week.

Employee data breaches showed a similar pattern. In 39% of those incidents, or 130 cases, the report was made after the 72-hour deadline.

Data Types

Basic personal identifiers were the most common type of information exposed in paperwork incidents. In 2025, 708 breaches involved details such as names, addresses and dates of birth, representing 39% of all paperwork cases reviewed.

Health data was the next most common category, accounting for 23% of incidents. Among employee data breaches, a third of cases, or 112 incidents, involved the loss, theft or incorrect disposal of basic identifying information.

The ICO classifies paperwork incidents as non-cyber breaches. It defines these as “a type of breach that does not have a clear online or technological element which involves a third party with malicious intent.”

Few Investigations

Only a small minority of paper-based breaches led to formal regulatory investigations. Between 2020 and 2025, fewer than 5% of paperwork incidents resulted in a formal investigation, according to the figures.

In 2025, 12 paperwork-related breaches were referred to investigation teams to determine what action, if any, was appropriate. That was down from 55 in 2024.

In 1,429 paperwork mishandling cases last year, the ICO chose not to use its formal powers and instead provided guidance and advice. Only one incident involving employee data was formally investigated in 2025.

The broader pattern suggests paperwork remains a steady source of data loss despite the wider shift to digital systems. Incident levels have stayed relatively stable over the past five years, even as paper records and communications have gradually declined in many sectors.

Adam Butler, chief executive of Officeology, said: “Our analysis of ICO data has highlighted areas of concern, specifically businesses using paper-based systems.

“While cybersecurity dominates the news, physical theft, loss or the incorrect disposal of paper records remains a significant risk to companies’ data security, including their own employees’ private information.

“GDPR legislation, the legal framework that aims to protect the privacy and personal data of individuals, is technology-neutral and applies whether data is processed online or offline. It covers any filing system intended to be used in a searchable way.

“Paper-based processes are inherently more vulnerable to human error. Adopting document management systems allows businesses to streamline workflows and store information in secure, centralised environments, helping organisations to better safeguard data and maintain compliance.”