Does a data processor have to inform the data owner of a security breach?

Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner expects serious breaches (which are not defined) to be reported.

There should be a written agreement in place (a requirement of the Data Protection Act) and ideally this should give guidance. However the Data Controller is unlikely to be able to comply with their obligations if they are not told about the situation.