Beacon Hill School 

Information Governance 

 

Serious Incident Reporting Policy

(Breach reporting)

 

 

 

 

  • Introduction

 

Information governance helps to prevent the unauthorised disclosure, amendment or deletion of information and the unauthorised withholding of information or resources. It helps to maintain the integrity of information and ensures that information is available when legitimately required. An information governance serious incident requiring investigation (IG SIRI) may occur where these security principles are compromised.

 

  • Purpose 

 

The School Data Protection Lead – Anabel Drought is responsible for ensuring that the procedures are in place for incident response planning and preparation. This policy forms part of the school’s planning and preparation and has been developed to ensure that the school complies with the Data Protection Act 2018 and forthcoming General Data Protection Regulation and ensure that a consistent, effective and orderly approach is applied to the investigation, reporting and management of IG SIRIs, so that damage is kept to a minimum and the likelihood of an incident recurring is reduced.

 

  • Scope

 

This policy applies to anyone who has access to the School’s information, including staff, and any other organisations working on our behalf. 

 

  •  Implementation and review  

 

This policy takes effect immediately and it is important that all staff are aware of IG SIRI requirements. If staff have any queries they should discuss these with their line manager or the DPO. This policy will be reviewed annually.

 

  • Compliance with legal and contractual obligations

 

Beacon Hill School will abide by UK legislation relating to information storage and processing and comply with any associated contractual requirements, standards, policies and principles. 

 

 

  • Definition of an IG SIRI

 

An IG SIRI is an actual or suspected breach, near miss or weakness that may be as a result of: 

 

  • a breach of information integrity, confidentiality or availability expectations (i.e. loss of a memory stick containing confidential information, inadequate disposal of confidential material, leaving a PC unattended and not locking it);
  • ineffective security control;
  • human error;
  • non-compliances with policies or guidelines;
  • breaches of physical security arrangements;
  • uncontrolled system changes;
  • malfunctions of software or hardware (i.e. systems or equipment failure); and
  • access violations (i.e. hacking and viruses or unauthorised access to records).

 

Note: a near-miss is an unplanned event that did not result in the loss of confidentiality, integrity or availability, but had the substantial potential to do so. For example a pupil file is found to be misfiled, but the mistake quickly rectified.

 

 

  • Action and Responsibilities

  • Reporting security incidents

 

All users of Beacon Hill School’s information have a responsibility to immediately report all actual and suspected IG SIRIs, near misses and weaknesses to the DPO

Staff, Business managers and Senior Staff must fully assist in the collection of evidence including attending interviews where necessary. Details of an IG SIRI can be very sensitive and any information involved must be handled with discretion and only disclosed to those who need to know the details. 

 

Staff or others working on behalf of the School must not attempt to deal with an IG SIRI themselves, conduct their own investigation and must not destroy or alter any evidence.

 

The Data Protection Officer is responsible for considering and implementing where appropriate, any recommendations to improve security following an investigation.  

 

 

  • Handling a reported security incident event 

 

 

The Data Protection Lead with support from the Data Protection Officer and if appropriate the ICT Technician  – John Wardle will assess each reported security event, and decide whether the event should be classified as an IG SIRI. 

 

If it is decided that the event falls outside the scope of this policy, i.e. if it relates to a crime or a serious staff disciplinary, the matter should be referred to the relevant body (i.e. the Police). 

 

Potential Police matter

 

If the incident is likely to end up as a Police matter then the area should be secured and seek expert advice from the Police. 

 

For ICT based incidents the Headteacher – Justina Terreta will contact the local hi-tech crime unit at Northumbria Police Tel: 0845 604 3043 

 

Or otherwise contact nearest police station.  

 

 

  • IG SIRI management

  • Record keeping

 

The Data Protection Lead will maintain a log and case file for all IG SIRI. 

 

Evidence should be held and preserved in electronic form, wherever possible, to ensure that the School has an adequate audit trail of the information relating to the incident. 

 

 

  • Severity of the incident 

 

 

How the School reacts to an IG SIRI is based on the perceived severity / gravity of the event. This perception may change during the course of the investigation and should be kept under review.  

The severity of an incident is dependant on a number of factors such as: 

  • how many people have been affected
  • the potential damage or distress they could experience
  • whether the information remains lost or has been returned to the Authority
  • the potential damage to the reputation of the organisation 
  • the type of information lost (i.e. how sensitive the data is)
  • whether any protections are in place 

 

The DPO, will consider these factors in determining the severity of the incident and classify/score the incident as summarised below:  

 

Baseline scale  Description 
0 Information about 10 or less individuals 
1 Information about 11-100 individuals 
2 Information about 101-1,000 individuals 
3 Information about 1,001 and over individuals 

 

The potential impact / sensitivity should be added to baseline scale.

For each of the following factors that apply add 1 to the baseline scale:

 

  • Detailed personal information at risk
  • Particularly sensitive information at risk (i.e. medical or social services records)
  • One or more previous incidents of a similar type in past 12 months
  • Failure to securely encrypt mobile technology or other obvious security failing 
  • Potential newsworthy aspects or media interest
  • A complaint has been made to the Information Commissioner or the police
  • Individuals affected are likely to suffer significant distress or embarrassment
  • Individuals affected have been placed at risk of physical harm
  • Individuals affected may suffer significant detriment i.e. financial loss

 

Any mitigating factors should also be taken into account. For each of the following mitigating factors that apply the baseline score should be reduced by 1:

 

  • Personal information limited in nature and low risk of individuals being identified i.e. name and address not included 
  • Security controls/difficulty to access data partially mitigates risk

 

Minor incidents are considered to have a baseline score* of 1 and critical incidents are considered to have a baseline score of 2 or above. 

 

The Data Protection Lead with support from the Data Protection Officer will make an initial decision on the severity of the incident, including whether the incident needs to be reported and keep this initial assessment under review.  Please see below: 

 

Incident level  Action 
Minor incidents (less than 0) 
  • Staff involved to log and report it to Data Protection Lead

 

Major incidents (less than 2 on the scale) 
  • DPO to be notified and breach paperwork completed
  • Review and consider further action.
Critical incidents (scale 2 and above) 
  • Reported to Data Protection Lead at time of incident.
  • DPL to notify LA and seek advice on reporting to ICO.  
  • DPL and DPO form incident response team to conduct more formal investigation. 

 

*Scoring based on guidelines of HSCIC Scoring.

 

  • Response Team

 

The DPL with support from the DPO and ICT Technician will assemble a multi-disciplinary incident response team if it decides that the incident is a significant or critical incident (and it is likely that it will need to be reported) to manage the information incident. 

 

The Response Team may consist of one or more of the following (as applicable): 

 

  • Head Teacher 
  • Lead Practitioners
  • Data Protection Lead
  • Data Protection Officer 
  • ICT Technician

 

The Response Team or IG Lead (if the incident is not a significant or critical incident) will generally follow the approach outlined below, but may determine other actions are appropriate to minimise the risk and manage the situation: 

 

  • Containment and recovery 
  • Investigation 
  • Notification of breach
  • Evaluation and additional response  
  • Post mortem review

 

 

  • Containment and/or recovery

 

The DPL should instruct and ensure staff involved take any action that might limit loss or damage. This may include: 

 

  • backing up data
  • notifying staff to be vigilant
  • notifying individuals (data subjects) affected
  • considering informing the police
  • contacting third parties that have received information in error to obtain assurance that it will be returned or securely destroyed.

 

 

  • Investigation

 

The aim of the investigation is to gather evidence for analysis and to determine the root cause of the incident and to identify any contributing factors and failing.

 

Evidence should be gathered and preserved. This enables others to consider and comment on the incident. Types of evidence include:

 

  • Notes of conversations
  • Emails
  • Screenshots of systems
  • Scanned images of paper documents
  • Photographs 

 

Evidence records should include the date and where not obvious a note to explain how it was obtained. In many cases this may be achieved through file names and metadata. 

 

The DPL and DPO will establish the facts:

 

  • what actually happened (the chronology and effect)?
  • what should have happened (is there a procedure)?
  • to whom?
  • when?
  • where?
  • how? (what went wrong)
  • why? (contributory factors and root causes)

The investigation should establish whether failings occurred:

 

  • look for learning points and improvements rather than apportion blame
  • establish how recurrence may be effectively reduced or eliminated
  • formulate realistic recommendations which address root causes, and learning points to improve systems and services

 

  • Notification

 

The DPL and DPO should consider whether to notify relevant parties about the incident such as:

 

  • The individuals affected
  • The Information Commissioner 
  • Any Regulatory body (such as HSCIC for incidents involving health) and insurers. 

 

Any notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.

 

  • Evaluation and additional response 

 

It is important when analysing investigation findings to be aware of, and try to avoid:  

 

  • hindsight bias i.e. with the ‘benefit of hindsight’ people believe that it is obvious what actions should have been taken to prevent an incident 
  • outcome bias, where past decisions are judged by its success or failure, instead of based on the quality of the decision made at the time.

 

The DPL will evaluate the current risks and whether any immediate or urgent additional action is required. This may include further measures to prevent another breach and escalating the issue with senior staff if applicable.

 

They will also consider whether there are any measures that could reduce the risks to limit the frequency, damage and potential impact / cost of future incidents. 

 

 

  • Post mortem review 

 

The level of review conducted is based on the scale and nature of the IG SIRI. 

The DPL will record details of decisions and action taken for future reference and verification. 

 

IG SIRI reports will typically set out the: 

 

  • background to the incident
  • severity of the incident and possible impact and longer term risks identified
  • key steps taken to manage the incident
  • root cause and supporting evidence
  • agreed corrective action 
  • other possible areas for improvement and an action plan with target dates for completion; and 
  • whether the School’s policies and procedures assisted in the allocation of responsibility and the way in which the School responded.   

 

The report will be circulated to the necessary senior staff individuals to enable the School to monitor trends, identify common themes, review risks and take corrective action. 

 

Appendix 1 – Incident Reporting Form 

 

Incident Reporting Form 

 

To be completed by Staff reporting Incident : 

INCIDENT DETAILS Ref: 

Today’s date:

Incident Date Incident Time 
Date reported
Discovered By 
Department
Initials of people involved

 

INCIDENT DESCRIPTION
Outline the background to the incident

To be completed by DPO : 

IMPACT OF INCIDENT
Severity of incident/baseline score/whether it needs to be reported 

Possible impact and longer term risks identified

Root cause and supporting evidence

Incident level (HSCIC Scoring)

 

RECOMMENDED ACTIONS / ACTIONS COMPLETED
Key steps taken to manage the incident

Agreed corrective action 

Recommended By: Date:

 

CONCLUSION
Identify any other areas for improvement and follow up improvement action with target dates for completion of such action
Closed and signed off by: Date: