The UK’s Information Commissioner’s Office (ICO) has launched a joint investigation with data protection authorities in Jersey, Guernsey, and the Isle of Man into a cyber incident that compromised the personal data of trade union Prospect Custodian Trustees Ltd in June 2025.
Prospect represents more than 160,000 members working in specialist fields including science, engineering, and technology. The organization holds extensive personal information about its members, ranging from financial details to highly sensitive data such as trade union membership, ethnic origin, sexual orientation, disability status, and religious beliefs. Regulators say the nature of the information involved raises significant concerns about potential harm to affected individuals.
The cross-jurisdictional investigation reflects growing cooperation among data protection authorities in response to cyber incidents that span multiple legal regimes. By coordinating their efforts, the regulators aim to conduct a more efficient and comprehensive inquiry while ensuring consistent enforcement of data protection standards.
Investigators will examine the scope and sensitivity of the personal information exposed in the breach and assess the risks posed to members whose data may have been compromised. They will also review whether Prospect had appropriate technical and organizational safeguards in place to protect the information it held, and whether the organization complied with its legal obligations to notify regulators and affected individuals of the breach. The inquiry will further consider whether Prospect took adequate steps in its initial response to mitigate risks once the incident was identified.
UK Information Commissioner John Edwards said the investigation will closely scrutinize whether Prospect met the expectations of members who entrusted the organization with sensitive personal information. He added that the joint approach demonstrates regulators’ determination to uphold data protection standards across borders.
Officials from Jersey, Guernsey, and the Isle of Man echoed those concerns, pointing to the rise in cyber and phishing attacks targeting organizations operating across jurisdictions and the need for coordinated regulatory responses.
Each authority will assess compliance under the data protection laws it oversees. Regulators said no further comment will be made while the investigation remains ongoing.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
