Scroll to content
School Logo

St Joseph's

Catholic Primary School

Inspired by Christ, Working Together, Achieving Our Best

Security Incidents Policy

A security incident is a confirmed breach, potential breach or ‘near-miss’ breach of one of the school’s information policies


Policy points are numbered. The numbering corresponds to explanations of ‘why?’ and ‘how?’ for each point further down the page.


What must I do?


  1. MUST: If you discover a security incident, you must immediately report it
  2. MUST: When reporting the incident, you must provide as much information as possible
  3. MUST: The Investigating Officer must complete investigations and complete an outcome report (see Procedures for Reporting or Handling a Security Incident)
  4. MUST: All staff must support investigations into incidents as required
  5. MUST: Maintain a full record of each incident from reporting to closure
  6. MUST: The Headteacher/SIRO must support the investigation of major and critical incidents
  7. MUST: Comply with the timescales and escalation process outlined in our Procedures for Reporting or Handling a Security Incident
  8. MUST: Major and critical incidents must be referred to the Data Protection Officer.



Why must I do it?


  1. Capturing security incidents allows us to respond effectively when something has gone wrong. Capturing all types of security incidents allows us to understand where our weaknesses are, how well our policies are working and what we should change about our policies to make them more effective
  2. To help us quickly assess the severity of the incident and to speed up the investigation
  3. Carry out an effective process appropriate to the severity of the incident
  4. Carry out an effective process appropriate to the severity of the incident
  5. Ensure the process is followed to completion
  6. Ensure that there is appropriate resource, expertise and independent scrutiny of processes for higher impact incidents
  7. Ensure that all incidents are handled in a timely manner
  8. Ensure that serious incidents are reviewed against the criteria for reporting to the regulator.



How must I do it?


  1. Please notify the school office. No action will be taken against any member of staff who reports a security incident about another member of staff in good faith. Identification of a reporting party who requests anonymity shall be protected as far as is feasible.
  2. Include full details of the incident such as dates, names and any remedial action that has been taken.
  3. Where appropriate, undertake the following:
    1. Identify expected outcomes, stakeholders and any policies breached.
    2. Speak to staff involved.
    3. Record evidence and keep an audit trail of events and evidence supporting decisions taken
    4. Get expert help
    5. Escalate
    6. Inform data subjects (service users, staff) where appropriate
    7. Identify and manage risks of the incident
    8. Commence disciplinary action, or record why not
    9. Develop and implement a communications plan where appropriate
    10. Put in place controls to prevent recurrence
    11. Complete the Incident Outcome Report
  4. Where appropriate, undertake the following:
    1. Work with the SIRO to investigate major security incidents.
    2. Assess the outcome to ensure the appropriate action has been taken.
    3. Provide knowledge and advice, and carry out any recommended actions for major or critical incidents, where required.
  5. Undertake the following:
    1. Classify the Security Incident
    2. Verify the details and oversee the investigation
    3. Work with SIRO to investigate major security incidents.
    4. Advise, support and intervene as appropriate
    5. Review Incident Outcome Reports and close
  6. For major and critical incidents:
    1. Undertake the investigation (critical only)
    2. Work with SIRO (major only)
    3. Assess if it is necessary for the security incident to be reported to the ICO.
    4. Complete an outcome report and recommend remedial actions.
  7. Follow the process outlined in the school’s Procedures for Reporting or Handling a Security Incident



What if I need to do something against the policy?


If you believe you have a valid business reason for an exception to these policy points, having read and understood the reasons why they are in place, please raise a formal request by contacting the school office.


If you believe the policy does not meet your business needs, you may raise this with your Information Champion who, if they agree with your suggestion, may propose a policy change.


Document Control


Version:                     2

Date approved:         July 2020

Approved by:             GDPR Working Party

Next review:              July 2021




  • Data Protection Act 2018


Breach Statement


Breaches of Information Policies will be investigated and may result in disciplinary action. Serious breaches of Policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against you.