Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
1.1 This Standard Operating Procedure has been updated in July 2024 as follows:
2.1 Security incident reporting plays a major role in helping both Essex Police and Kent Police to maintain a safe and secure working environment. It helps to protect the confidentiality, integrity and availability of the information systems accessed and is pivotal to protecting both personal information and operational integrity. Effective trend analysis of reported incidents enables the organisations to highlight areas of weakness and, if necessary, take appropriate action to reduce specific threats and vulnerabilities.
2.2 All officers and staff have a responsibility to report information security incidents whether deliberate or accidental. A breach is defined by this procedure/SOP, which presents a risk to the data subject, must be referred to the Information Commissioner's Office within 72 hours (see para 5) by the individual Force Data Protection Officer.
2.3 This procedure/SOP is intended to ensure a consistent and effective approach to the management of information security incidents, to help limit the impact of a breach and ensure lessons are learned to reduce the risks of re-occurrence.
Compliance with this procedure/SOP and any governing policy is mandatory.
3.1 This procedure/SOP outlines the main requirements for security incident reporting and is designed to ensure core data is recorded, the event is properly reviewed, corrective action taken where necessary to minimise the risk of re-occurrence and to provide clarity over accountability and responsibility for actions.
3.2 The reporting of security incidents is performed utilising three different notification channels:
3.3 What is a Security Incident?
3.3.1 A security incident can be defined in two ways; data breach of personal or sensitive data or a security incident not necessarily relating to a breach or loss of data.
3.3.2 A personal data breach is defined within the Data Protection Act 2018 as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This can include breaches that are the result of both an accidental or deliberate cause. It also means that a breach is more than just about losing personal data.
3.3.3 Examples of personal data breaches can include:
3.3.4 There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
3.3.5 A security incident is an event that may indicate that an organisation's IT systems or physical parameters/security have been compromised or that measures put in place to protect them have failed. Security incidents have degrees of severity and consider the associated potential risk to the organisation. If large numbers of users are denied access, it is likely to mean that there is a more serious problem, such as denial of service (DoS) attack. The event therefore may be classified as a high level security incident.
3.3.5.1 Examples of IT security incidents:
3.3.6 Equally, identity, access credentials, asset or physical security protocols are all vulnerable to loss, theft or compromise. These events also include any compromise of the measures put in place to protect them or that such measures have failed.
3.3.6.1 Examples:
3.3.6.2 The above list is not exhaustive and officers and staff must ensure that they report any incident where they have a reasonable belief that there is a risk to the security of their force or an individual's personal data.
3.4 Reporting Security Incidents
3.4.1 All security incidents must be reported using the relevant form and the relevant Information Asset Owner notified:
3.4.2 Information in relation to the incident should include a description of the data lost or stolen, theft or loss of police assets, or physical security. The incident must detail whether it was held in hard copy or portable media, the quantity (if known), where it was lost and the sensitivity of the data (if known).
3.4.3 The first 72 hours after you become aware of a data breach are critical. This is the deadline given to organisations under the Data Protection Act 2018 to report information security incidents to the Information Commissioners' Office (ICO).
3.4.4 However, not all breaches need to be reported to the ICO. Data breaches only need to be reported if they "pose a risk to the rights and freedoms of natural living persons". This generally refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses. Most breaches fit into this category, but not all. For example, if the information can't be linked to a specific individual, there's likely to be very little risk to the 'rights and freedoms of an individual'.
3.4.5 When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it is likely there will be a risk then you must notify the relevant force Data Protection Officer via telephone to ensure the circumstances receive early consideration.
3.4.6 The relevant Data Protection Officer will undertake a review of the circumstances and refer if necessary to the ICO if the criteria is met.
3.4.7 If the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, the reporting officer or member of staff must also inform those individuals without undue delay in order that any risks can be mitigated.
3.4.8 Each force will retain a central log of all significant security breaches and these will be reviewed by the relevant strategic board to ensure any 'lessons learnt' are implemented.
3.5 Critical Incident
3.5.1 It is recognised that some security incidents may have wider implications that need to be considered and any subsequent responses co-ordinated. A data breach, in particular, can have a range of adverse effects on individuals, which include emotional distress and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. On becoming aware of a breach an early assessment must take place in order to consider the potential adverse consequences for any individuals or the wider organisation. The outcome of this assessment may lead to referral to a member of the relevant Senior Leadership Team (or Force Duty Officer) for assessment as a potential critical incident based on how serious or substantial the risks are and how likely that they may occur.
3.6 Security Vulnerabilities
3.6.1 Officers and staff are personally responsible for reporting observed or suspected security vulnerabilities such as staff sharing User IDs and passwords, including smartcards and system admin privileges given to individuals who do not require them. Access into police sites without the appropriate vetting or authorisation must also be reported.
3.6.2 Staff should not attempt to prove a suspected security weakness as this might be interpreted as a potential misuse of the system. The weakness should be reported via their line manager to the relevant force Information Security Officer (ISO). The line manager must also ensure that any perceived vulnerabilities are reported to the Business Owner and/or Information Asset Owner in order that any necessary 'quick time' action can be taken.
3.7 Professional Standards Department Referral
3.7.1 Where the incident constitutes a potential breach of the Code of Conduct for officers or staff a referral will be made by the Data Protection Officer for assessment by the relevant force Professional Standards Department.
3.8 Analysis and Management Reporting
3.8.1 Analysis and management reporting is an essential practice to enable key lessons to be learnt in order to maintain a proactive approach to emerging security threats. It provides practical output on types, circumstances and handling practices of an incident. Analysis enables a force to diagnose what a security incident means to a member of staff, build and maintain a suitable security incident response capability, build a framework of management reporting and learn about where and how awareness programmes are delivered.
3.8.2 Such analysis is designed to:
3.8.3 The relevant Information Security officer (ISO) is responsible for the output of this analysis which will be communicated through the relevant force Strategic Board who will consider any necessary changes to policy, procedure/SOP or training.
EIA – July 2023
5.1 There is an overall risk concerning the use and management of Essex Police and Kent Police information. Advice and guidance relating to the assessment of risk is contained within the individual procedures/SOPs. The Corporate Risk Register will contain any risks in relation to Information Security.
6.1 The following have been consulted during the formulation of this document:
7.1 The Information Security Officer will be responsible for ensuring that this procedure/SOP will remain current in line with HMG and ACPO policy.
7.2 This procedure/SOP will be reviewed by, or on behalf of, the forces’ SIROs every two years.
Related force policies or related procedures (Essex) / linked standard operating procedures (Kent)
8.1 Essex Police and Kent Police Joint Policy and Procedures:
• W 1000 Policy – Information Management
• W 1001 Procedure/SOP – ICT Acceptable Use
• W 1002 Procedure/SOP – User Account Management
• W 1005 Procedure/SOP – Information Asset Owners
• W 1006 Procedure/SOP – Government Security Classification Scheme (GSC)
• W 1007 Procedure/SOP – Assurance of Information Assets
• W 1008 Procedure/SOP – Physical Security
• W 1009 Procedure/SOP – Protective Monitoring
• W 1010 Procedure/SOP – Records Management (Physical and Digital)
• W 1011 Procedure/SOP – Data Protection
• W 1012 Procedure/SOP – Records Review, Retention and Disposal
• W 1014 Procedure/SOP – Information Sharing Agreements
• W 1015 Procedure/SOP – Redaction
• W 1016 Procedure/SOP – Encryption of Files and Removable Digital Media
• W 1017 Procedure/SOP – Sanitisation, Re-Use and Disposal
• W 1019 Procedure/SOP – Freedom of Information
• W 1020 Procedure/SOP – Use of Bluetooth
• W 1021 Procedure/SOP – Shared and Standalone Devices
• W 1022 Procedure/SOP – Data Protection Impact Assessments
8.1.1 Essex Only Documents:
• W 2006 Procedure - Cryptographic Security
• W 2011 Procedure – Transaction Monitoring and Audit
• W 2013 Procedure – Appropriate Access and Use of Police Information
• W 2020 Procedure – Data Quality
• W 2021 Procedure – Applications for the Early Disposal of Information
• W 2040 Procedure – Record Centre (Dunmow)
8.2 Data Security
8.2.1 Essex Police and Kent Police have measures in place to protect the security of your data in accordance with our Information Management Policy – W 1000 Policy – Information Management.
8.3 Retention & Disposal of Records
8.3.1 Essex Police and Kent Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.
8.3.2 We will only hold data for as long as necessary for the purposes for which we collected.
Policy reference: Incident reporting and management policy (W1004)
Contact point:
Date last reviewed: July 2023
If you require any further information or to request any documentation referenced within the policy please email [email protected]. For general enquiries, contact us.