Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, with reference to page 58 of the Cabinet Office annual report and accounts 2024-25, published on 23 October 2025, if he will set out the types of personal data reported to the Information Commissioner's Office in each of the eight incidents; and if he will set what types of data were compromised in the Capita cyber-attack.

Please see below the data items as recorded on the notification forms to the Information Commissioner’s Office for the eight incidents referred to on page 58 of the Cabinet Office annual reports and accounts 2024-25:

Incident 1 - Health, name, contact details, date of birth

Incident 2 - Name, account numbers and sort codes

Incident 3 - Names, addresses, dates of birth and medical information

Incident 4 - Name, date of birth, home address and brief medical history

Incident 5 - Names, work email addresses, job roles/grade

Incident 6 - Name, Address, National Insurance Number, economic and financial data

Incident 7 - Name, Address, National Insurance Number, economic and financial data

Incident 8 - Name, allegations of improper conduct

In the majority of the above reported incidents either individual or very small numbers of data subjects were affected by the breach.

Regarding the Capita incident, the types of personal data recorded in the Information Commissioner’s Office notification are as follows:

• Name

• Contact details

• Account numbers and sort codes

• Health data

• Economic and financial data, e.g. credit card numbers, bank details

• Copies of official documents, e.g. driving licences