What I can give you is this….
Here is the link to the ICO webpage which details what constitutes, how and when to report a breach:
Also, this is the question in Section 1 Assertion 3 of the AGAR:
“…We took all reasonable steps to assure ourselves that there are no matters of actual or potential non-compliance with laws, regulations and Proper Practices that could have a significant effect on the ability of this authority to conduct its business or manage its finances…”
The ‘decision’ about whether a data breach should be reported must be made by the people with responsibility for which ever organisation it is that is asking itself the question - guidance is available from the ICO chat bot.
In the case of a PC, there may be a nominated Data Protection Officer.
If a breach is decided by the organisation and it is reported to the ICO it then becomes a matter for that council to consider the question in Assertion 3. Can it, under all of the prevailing circumstances affirm that all reasonable steps, actual or potential non-compliance, significant impact on ability to conduct business / manage finances etc etc….
These are the boundaries within which a PC ‘should’ operate, the PC then has to mark its own homework with self certification - there is little chance the Internal Audit will be of any use.
The decision lays entirely with the subject council, their depth of understanding, how diligently they may apply the existing regs and whether they are willing to navel gaze…