Information Incident Protocol

Title
Title
Title
Title
Version
Author
Next Review Date
Notes
V1 (February 2025)
Emma Kitcher, Data Protection Officer
February 2026
New Draft
V2 (October 2025)
Emma Kitcher, Data Protection Officer
October 2026
Annual review – no changes.
V3 (March 2026)
Caroline Oliver
October 2026
Added Holiday Club into policy

Contents

    INTRODUCTION
    QUICK REFERENCE POINTS
    KEY DEFINITIONS
    SCOPE
    KEY LEGISLATION / FRAMEWORK
    INFORMATION INCIDENT REPORTING
    UNAUTHORISED ACCESS TO PERSONAL DATA
    INCIDENT COMMUNICATION
    HANDING OVER INVESTIGATION – ANNUAL LEAVE / SICKNESS / ABSENCE
    REPORTING AN INCIDENT
    APPLICATION AND AUDIT

INTRODUCTION

This protocol supports staff to deal with incidents involving Personal Confidential Information to ensure that they are appropriately controlled, reported and that lessons are effectively fed back into the risk management cycle.
Level 2 Cyber Incidents will be notified to the Information Commissioners Office.

QUICK REFERENCE POINTS

  • Staff must be able to recognise an incident and promptly report it
  • An incident is where the confidentiality, availability or integrity of personal data has been affected
  • If you are investigating an incident, make sure you hand it to a colleague when you are absent
  • Sometimes the data subject will need to be notified
  • Sometimes the authorities will need to be notified
  • A timely response is important

KEY DEFINITIONS

Personal Confidential Information            

This term is intended to cover information captured by the Data Protection Act 2018 / GDPR (identifiable information about the living), information covered by the Common Law Duty of Confidence / Tort of Misuse of Private Information and finally, information covered by Article 8 European Convention for Human Rights.

SCOPE

See Information Governance Policy for key roles.
All staff, whether management or administrative, who create, receive and use Personal Confidential Information have responsibilities to ensure effective reporting and management of information incidents. Employees have a contractual and legal obligation to read and comply with all company policies and to attend mandatory training to support the appropriate management of information.

KEY LEGISLATION / FRAMEWORK

  • UK GDPR / Data Protection Act 2018
  • Human Rights Act 1998

INFORMATION INCIDENT REPORTING

  • Hopscotch Nurseries and Holiday Clubs are committed to compliance with the above requirements.
  • Where an incident of this type occurs, staff are required to notify their manager immediately.
  • This will be sent to the DPO for review.
  • The DPO will then investigate and grade the incident.
  • Incidents must be reported as soon as possible (usually within 72 hours of a breach being notified/identified locally) and so it is important to contact the DPO as soon as possible with as much information as can be ascertained at the time.
  • All incident data, trends and lessons learned will be fed into the Information Risk Management process and suitable mitigations implemented such as additional staff training or process improvement.
  • Key incident trends and lessons will be escalated to the most senior members of the organisation via the Information Governance Steering Group

UNAUTHORISED ACCESS TO PERSONAL DATA

  • Where it is discovered that a staff member has accessed personal data inappropriately, for example, accessing family, child or other restricted records without a genuine business need or accessing their own records or those of family, friends or colleagues without the permission of the organisation)
  • The information must be passed to the DPO immediately and a full audit performed of staff members’ access to shared drives (where available).
  • The audit results must be passed on to the DPO for review and staff member should be interviewed to determine the circumstances of the potentially inappropriate access. Staff members’ access should be limited or monitored whilst investigation is ongoing.

INCIDENT COMMUNICATION

  • During investigation, the DPO will determine whether there needs to be communication with the affected data subjects based on whether the incident might result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the person concerned.
  • The following methods have been identified as possible approaches;
  • 1 – 10 data subjects affected direct postal contact
  • 10 – 50 data subjects affected direct email contact
  • 50+ data subjects affected website alert, in situ posters
  • This approach reflects that breaches affecting a greater volume of data subjects may cause concern amongst service user population or be difficult to arrange direct contact for. It is therefore necessary to ensure proactive communication and an opportunity for individuals to ascertain if their information was involved and make enquiries or complaints.
  • When notifying data subjects, the following information must be included;
  • Name and contact details of DPO or other point of contact where more information can be obtained
  • Nature of the breach and the contents of the information
  • A description of measures taken / being taken to address the breach.
  • A description of the likely consequences

HANDING OVER INVESTIGATION – ANNUAL LEAVE / SICKNESS / ABSENCE

  • When an incident arises, the primary investigator within Hopscotch Nurseries and Holiday Clubs must ensure they document their investigation and findings in a shared space for those who have need to view and / or continue the investigation in the event of expected or unexpected absence.
  • The ICO can issue reprimands for incidents reported outside of the legal 72-hour time frame unless they are satisfied with the reasons behind the delay.
  • Furthermore, the DPO will be continuing the investigation and must be able to contact any member of staff for further details when necessary.

REPORTING AN INCIDENT

Examples of types of information incidents include;
  • Corruption or inability to recover electronic data
  • Data disclosed in error
  • Data lost in transit
  • Lost or stolen hardware
  • Lost or stolen paperwork
  • Non-secure disposal – hardware or paperwork
  • Technical security failing – including hacking
  • Unauthorised access / disclosure
  • Uploaded to website in error
  • Data quality issue
Once reported, the DPO will be in touch to obtain further information as required.
  • The DPO will advise of any immediate or longer-term mitigation steps to be taken.
  • Support will be provided in relation to making contact with affected data subjects.
  • A final incident report will be produced for Hopscotch Nurseries records.
  • The IGSG will discuss the incident to ensure any appropriate process changes or training are arranged

APPLICATION AND AUDIT

Compliance with this protocol will be audited and the results fed into the Plan, Do, Check, Act Cycle described in the Information Risk and Audit Protocol.
  • The organisation will list the information rights on our privacy policy
  • All staff should be able to recognise and refer information rights requests to the right person
  • All staff, visitors and service users should have access to the DPO ’s contact details to support with rights
  • Staff must confirm that they have read and understood this protocol
  • This protocol will be reviewed annually or sooner in the event of significant learning or change
  • This protocol should be read in conjunction with the other protocols in the Data Protection and Security policy suite