A data breach that has occurred involving data processed by Access Personal Checking Services (APCS) Ltd – the provider the Diocese and most parishes currently use to process Disclosure and Barring Service (DBS) checks for parish officers.
Update - December 2025
The diocese is continuing to work with colleagues in the National Church Institutions (NCIs) and understand they have recently received acknowledgment letters from APCS, referring to correspondence from August and September. These letters do not provide any information on the progress, compensation or anticipated outcome of the investigation.
Part of the delay is due to the Information Commissioners Office (ICO) managing a 29 week backlog. Consequently, the earliest we might expect progress on this investigation would be March 2026.
There is no formal report yet from APCS, just the acknowlegment letters sent to the NCIs.
Recovering DBF costs and advising parishes on replacement documents
We cannot provide specific advice on recovering costs. One of the letters to APCS (referred to above) enquired about compensation, and the APCS response was:
"Regarding any requests for compensation, our position is currently still as that shown on our website:
Q: What is your current position on credit monitoring and compensation?
A: We are currently exploring whether credit monitoring can be offered. In respect of compensation, we suggest that individuals retain information in respect of any losses. As we have a legal team instructed who will be dealing with claims, we will not be responding to requests for compensation until the outcome of the investigation as liability has not yet been determined."
August 2025
On 17 August 2025, APCS were notified by Intradev – their external software supplier – of a potential data breach. Intradev confirmed that they have been subject to unauthorised access and certain files that relate to personal data were copied from their systems during a recent cyber-attack.
The data breach concerns data collected from December 2024 to 8 May 2025. The affected data is likely to include name, date of birth, email address, postal address, place of birth, gender, National Insurance Number, Passport details and Driving Licence. APCS have confirmed that they do not store payment card details or records of any criminal convictions.
Our own network and servers were not compromised.
We are working closely with APCS who are conducting a thorough investigation to determine the full scope of the data involved. It is likely that this includes any data submitted for DBS applications in the period referred to above. APCS are only contacting data controllers (i.e. the Diocese and PCCs) where they know there has been a data breach. Not all PCCs will need to be contacted.
We ask that PCCs stop submitting DBS checks until we are able to offer an update.
APCS are actively assessing the situation to understand the extent of the impact and will keep us informed of any significant developments.
Information for Incumbents, PCC Secretaries, Parish Safeguarding Officers, Safeguarding – DBS Contact and Churchwardens:
We are aware that a number of parishes use APCS to carry out DBS checks. Should you receive an email directly from APCS to inform you of the data breach notification, you may need to report the matter to the Information Commissioner’s Office (ICO) and notify potentially affected parish officers and others for who you have carried out DBS checks.
If you are contacted by APCS it is because there are parish officers for who you have carried out a DBS check between December 2024 and May 2025.
We have carried out a risk assessment and have made the decision to report this incident to the Information Commissioner’s Office (the ICO) and the Charity Commission.
We take this matter very seriously and APCS are committed to resolving it promptly and effectively. We will update you on any further action that may be required in due course. In the meantime, please continue to remain vigilant in managing your own personal information online to minimise any potential risk, particularly if you are approached by any unknown individual or organisation that may not appear genuine and if you receive any phishing emails that contain harmful links or attachments.
If you have any questions or concerns in relation to this article, please contact Diocesan colleagues via DPOSupport@diocant.org
Here is a useful video guide for reporting to the ICO, as well as a template to help with filling out the form which you can complete online.
Here are some frequently asked questions about the breach.
We have no substantial updates at this stage but continue to engage with colleagues in the National Church Institutions and other dioceses. Please see the latest update from the APCS website.