We have been made aware that the external organisation that we use for DBS checks (APCS) has had a significant data breach and information found on documents used to check identification may have been compromised (names/ addresses/ passport details etc).
As far as we are aware, this data breach affects DBS checks completed by the diocesan office and by parishes between November 2024 and 8 May 2025. Parishes affected should have been contacted directly by APCS, but you may wish to check with the organisation if you haven’t received an email and think this might affect you.
DBS checks need to be completed through a registered body and APCS is used by the national church and at least 14 other dioceses.
We understand that the data for around 150 people who completed a DBS check verified by the diocesan office team has been compromised. We are currently contacting all these people directly, so if you haven’t received an email or letter from the diocesan safeguarding team over the next couple of days (most have already been sent), then there is no indication any personal information you may have provided is affected by this breach.
We are also liaising with APCS to understand how many of our parishes are impacted. If you have received an email from them and haven’t already let us know, please do contact us so we can provide any support you might need in contacting individuals affected/ completing reports. The National Church is investigating what specific support might be made available to those whose data has been compromised and we will pass this onto individuals as soon as we can.
Archdeacon Nikki said:
“We realise that this data breach is hugely upsetting for those who have been affected and anyone finding this situation particularly distressing is welcome to be in touch with me if they would find that helpful. I am grateful for all that is being done in parishes and by both the diocesan team and the national church to provide support, and I also want to give thanks for all that our volunteers do in helping to keep our churches as safe as possible.”
It is important that those parishes who have been affected by the breach file a report with the Informational Commissioner’s Office – we can provide a template to help you do this if necessary. This is because each PCC (like the DBF) is a separate legal entity, and we have been told it is not possible for the DBF (or the national team) to make a ‘blanket’ report for all affected legal entities. However, we have already notified the Information Commissioner’s Office and the Charity Commission, so they are well aware of the breach. The Charity Commission has now said that they don't require parishes to make any further reports to them.
We have set up a dedicated email for anyone to ask advice about this situation. Do email us on databreachsupport@cofe-worcester.org.uk and one of the team will respond as soon as possible.
The team is also liaising with the national team and APCS to understand how this happened and to ensure that data remains secure for all future DBS checks, which are obviously an important part of safer recruitment. If you have any DBS checks due imminently, please do contact us.
Diocesan Secretary Andy Todd said:
“I am acutely aware of how challenging and upsetting it has been for PCCs, volunteers, clergy and staff to be put in this situation. I would like to reassure you that, from the moment we were notified of the breach, the Diocesan Office team has been working to support those affected – and we will continue to do so. We have been in daily communication with APCS, other dioceses, the National Church team, legal specialists and others to ensure that we have as comprehensive an understanding of possible of who has been impacted and how, and of what practical support is available. I would continue to encourage anyone affected or concerned to contact us through the dedicated email link, or by phone.”
Are our IT systems affected?
No, our systems have not been hacked. The Diocese of Worcester network is unaffected by this data breach. There is no direct connection between our systems and third-party providers.
General advice
As always, stay alert for any suspicious activity via email, SMS, or phone calls. Responsible organisations will not contact you and ask you to provide them with personal account information such as your username and password. If you are unsure about anyone you are in communication with, online or over the phone, make sure you verify their identity independently before engaging with them further.
Resources
- What to do if you’ve shared personal information - Stop! Think Fraud (GOV.UK guidance)
- Action Fraud (England, Wales and Northern Ireland) or
- Advice and information – (Police Scotland)
- Financial Ombudsman Service
- Home Office - identity theft victims' checklist
To report the theft or loss of post:
- Royal Mail website: www.royalmail.com/report-a-crime
- Or call Royal Mail on 08457 740 740
