CFOtech UK - Technology news for CFOs & financial decision-makers
United Kingdom
Modern uk office desk breached manila folder personal records
#
Data Protection
#
Document Management
#
Digital Transformation

Paper data breaches in UK hit 11,141 over five years

Tue, 28th Apr 2026 (Today)
Author image
By Sean Mitchell, Publisher

More than 11,000 paper-based data breaches were reported to the UK Information Commissioner's Office between 2020 and 2025, according to Officeology. Its analysis found employee data featured in almost one in five incidents.

The document management specialist reviewed ICO records on paperwork that was lost, stolen or incorrectly disposed of. It identified 11,141 incidents over the period, including 2,103 involving employee information such as personal identifiers, health details and financial data.

The figures point to a persistent form of data loss outside the usual focus on online attacks and system intrusions. Under the ICO's classification, paperwork-related incidents are treated as non-cyber breaches because they do not involve a clear online or technological element linked to a malicious third party.

In 2025 alone, 1,820 paperwork breaches were reported to the regulator, the analysis found. Of those, 330 incidents, or 18%, involved employee data and could have affected as many as 28,000 workers, based on the size of the organisations involved.

Reporting delays

The analysis also highlighted repeated delays in notifying the regulator. UK GDPR requires organisations to report personal data breaches within 72 hours of becoming aware of them, but that deadline was missed in 41% of paperwork cases recorded in 2025.

That included 399 incidents reported a week or more after discovery and 351 reported between 72 hours and one week later. For breaches involving employee data, 39% of incidents, or 130 cases, were reported after the 72-hour deadline.

The information exposed most often was basic personal data, including names, addresses and dates of birth. In 2025, 708 incidents involved those identifiers, accounting for 39% of the year's paperwork breaches, while health data featured in 23% of cases.

Among breaches linked to employee records, a third, or 112 incidents, involved the loss, theft or incorrect disposal of basic identifying information. This suggests routine administrative records remain a notable source of risk when physical files are mishandled.

Few investigations

Most reported incidents did not lead to a formal ICO investigation. Fewer than 5% of paperwork breaches recorded between 2020 and 2025 were escalated for formal investigation, according to Officeology.

In 2025, only 12 paperwork-related incidents were passed to investigation teams to assess what action, if any, was appropriate, down from 55 in 2024.

Last year, the ICO chose not to use its formal powers in 1,429 paperwork mishandling cases, instead providing guidance and advice. Only one incident involving employee data was formally investigated in 2025.

The steady level of incidents over the past five years suggests the shift towards digital systems has not removed the risks tied to physical records. Although many organisations have reduced their reliance on paper, remaining document flows still appear to create opportunities for files to be lost, left insecure or improperly discarded.

Officeology argued this leaves a gap in many security approaches, particularly where businesses have focused investment on digital protection while paying less attention to the storage, handling and disposal of hard-copy records.

Adam Butler, chief executive of Officeology, commented on the findings and offered advice on managing offline data security.

"Our analysis of ICO data has highlighted areas of concern, specifically businesses using paper-based systems.

While cybersecurity dominates the news, physical theft, loss or the incorrect disposal of paper records remains a significant risk to companies' data security, including their own employees' private information.

GDPR legislation, the legal framework that aims to protect the privacy and personal data of individuals, is technology-neutral and applies whether data is processed online or offline. It covers any filing system intended to be used in a searchable way.

Paper-based processes are inherently more vulnerable to human error. Adopting document management systems allows businesses to streamline workflows and store information in secure, centralised environments, helping organisations better safeguard data and maintain compliance," Butler said.

Related stories
Celerity acquires Ranger4 to boost automation & AI
Influencer marketing shifts from add-on to core strategy
Retail tech buyers demand proof over promise on AI
EY launches Forward Deployed Engineer roles for AI
Workday backs Club Med HR overhaul for global staff

Top stories

Synextra wins Microsoft Data & AI on Azure designation
Woodgate & Clark expands broker support with BIBA tie
ClearCourse buys Kurve to boost hospitality software
UK workers rank cyberattacks top threat to continuity
Most large UK firms cannot explain overseas AI data use