Information management - Incident reporting and management policy (W1004)

1.0 Summary of changes

1.1 This procedure/SOP has been updated on 2 June 2026 as follows:

• security incident definition updated
• additional examples added
• section 3.5.2 added
• procedure owners updated
• section 3.3.2 updated to include relevant legislation

2.0 What this procedure/SOP is about

2.1 Security incident reporting is essential to protecting the confidentiality, integrity and availability of information handled by Essex Police and Kent Police, ensuring risks to personal data and operational information are identified, assessed and managed appropriately. It also captures wider security threats affecting the police estate and workforce enabling consistent response and targeted action to address vulnerabilities across both data and physical security controls.

2.2 All officers and staff have a responsibility to report information security incidents whether deliberate or accidental. A breach is defined by this procedure/SOP, which presents a likely risk to the data subject, must be referred to the Information Commissioner's Office within 72 hours (see para 5) by the individual force data protection officer, or appropriate delegated person.

2.3 This procedure/SOP is intended to ensure a consistent and effective approach to the management and reporting of information security incidents, to help limit the impact of a breach and ensure lessons are learned to reduce the risks of re-occurrence.

Compliance with this procedure/SOP and any governing policy is mandatory.

3.0 Detail the procedure/SOP

3.1 This procedure/SOP outlines the main requirements for security incident reporting and is designed to ensure core data is recorded, the event is properly reviewed, corrective action taken where necessary to minimise the risk of re-occurrence and to provide clarity over accountability and responsibility for actions.

3.2 The reporting of security incidents is performed utilising three different notification channels:

1. internal staff / automated IT detection notifications
2. strategic partners notifications
3. national security and cyber incident notifications to forces

3.3 What is a security incident?

3.3.1 A security incident is an occurrence that actually or potentially jeopardises the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

3.3.2 A personal data breach is defined within the Data Protection Act 2018 as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This can include breaches that are the result of both an accidental or deliberate cause. It also means that a breach is more than just about losing personal data.

3.3.3 Examples of personal data breaches can include:

• access by an unauthorised third party
• deliberate or accidental action (or inaction) by a controller or a processor
• sending personal data to an incorrect recipient
• computing devices containing personal data being lost or stolen
• alteration of personal data without permission and
• loss of availability of personal data.

3.3.4 There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

3.3.5 A security incident is an event that may indicate that an organisation's IT systems or physical parameters/security have been compromised or that measures put in place to protect them have failed. Security incidents have degrees of severity and consider the associated potential risk to the organisation. If large numbers of users are denied access, it is likely to mean that there is a more serious problem, such as denial of service (DoS) attack. The event therefore may be classified as a high level security incident.

3.3.5.1 Examples of IT security incidents:

• attempts from unauthorised sources to access systems or data
• unplanned disruption to a service or a denial of a service
• unauthorised processing or storage of data
• unauthorised changes to system hardware, firmware or software
• use of unauthorised equipment or software connected to police equipment or the force network

3.3.6 Equally, identity, access credentials, asset or physical security protocols are all vulnerable to loss, theft or compromise. These events also include any compromise of the measures put in place to protect them or that such measures have failed.

3.3.6.1 Examples:

• shared passwords
• loss of force assets i.e. mobile phone, Airwave, tablets, laptop, uniform
• unauthorised personnel on police estate
• tailgating incidents
• privileged access or unauthorised access rights inherited

3.3.6.2 The above list is not exhaustive and officers and staff must ensure that they report any incident where they have a reasonable belief that there is a risk to the security of their force or an individual's personal data.

3.4 Reporting security incidents

3.4.1 Responsibility for reporting a security incident or data breach rests with the individual who first identifies or becomes aware of it. Reporting must not be delayed pending identification of the responsible party or notification to another individual. Any delay in reporting may materially impact the force’s ability to meet statutory obligations, including timely notification to the Information Commissioner’s Office (ICO), the effective investigation of misconduct, and the appropriate handling of the incident.

3.4.2 All staff must report suspected incidents immediately, even where there is uncertainty as to whether a security incident or personal data breach has occurred. Where there is uncertainty, staff must either report the incident or seek prompt guidance via the force intranet or from the data protection officer. Staff should take reasonable and proportionate steps to contain or mitigate the incident where it is safe and appropriate to do so; however, this must not delay or replace the requirement to report promptly. Examples of appropriate mitigation include:

• recalling or correcting emails sent in error
• contacting unintended recipients to request deletion
• retrieving misplaced documents

3.4.3 All security incidents must be reported using the relevant form and the relevant Information Asset Owner notified:

• Essex Police - PFL001
• Kent Police – PFL002

3.4.4 Information in relation to the incident should include a full description of the data lost or stolen, theft or loss of police assets, or physical security. The incident must detail whether it was held in hard copy or portable media, the quantity (if known), where it was lost and the sensitivity of the data (if known).

3.4.5 The first 72 hours after you become aware of a data breach are critical.  This is the deadline given to organisations under the Data Protection Act 2018 to report information security incidents to the Information Commissioners' Office (ICO).

3.4.6 However, not all breaches need to be reported to the ICO. Data breaches only need to be reported if they "pose a likely risk to the rights and freedoms of natural living persons". This generally refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage, financial losses or physical harm. Most breaches fit into this category, but not all. For example, if the information can't be linked to a specific individual, there's likely to be very little risk to the 'rights and freedoms of an individual'.

3.4.7 When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it is likely there will be a risk then you must notify the relevant force data protection officer to ensure the circumstances receive early consideration.

3.4.8 The relevant data protection officer will undertake a review of the circumstances and refer if necessary to the ICO if the criteria is met.

3.4.9 If the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, the reporting officer or member of staff must also inform those individuals without undue delay in order that any risks can be mitigated.

3.4.10 Each force will retain a central log of all significant security breaches and these will be reviewed by the relevant strategic board to ensure any 'lessons learnt' are implemented.

3.5 Critical incident

3.5.1 It is recognised that some data breaches may have wider implications that need to be considered and any subsequent responses co-ordinated. A data breach, in particular, can have a range of adverse effects on individuals, which include emotional distress and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. On becoming aware of a breach an early assessment must take place to consider the potential adverse consequences for any individuals or the wider organisation. The outcome of this assessment may lead to referral to a member of the relevant Senior Leadership Team (or Force Duty Officer) for assessment as a potential critical incident based on how serious or substantial the risks are and how likely that they may occur.

3.5.2 The same principles apply to security incidents; not all incidents carry the same degree of criticality. For instance, the loss of uniform would be regarded as a much lower priority compared to the discovery of confirmed malware on a police-issued computer. Accordingly, each security incident is reviewed and categorised, which determines the appropriate response level required. Both IT and Information Security have clearly defined escalation criteria in place, enabling the force to escalate incidents consistently and efficiently when necessary.

3.6 Security vulnerabilities

3.6.1 Officers and staff are personally responsible for reporting observed or suspected security vulnerabilities such as staff sharing User IDs and passwords, including smartcards and system admin privileges given to individuals who do not require them. Access into police sites without the appropriate vetting or authorisation must also be reported.

3.6.2 Staff should not attempt to prove a suspected security weakness as this might be interpreted as a potential misuse of the system. The weakness should be reported via their line manager to the relevant force Information Security Officer (ISO). The line manager must also ensure that any perceived vulnerabilities are reported to the Business Owner and/or Information Asset Owner in order that any necessary 'quick time' action can be taken.

3.7 Professional Standards Department referral

3.7.1 Where the incident constitutes a potential breach of the Code of Conduct for officers or staff, a referral will be made for assessment by the relevant force Professional Standards Department. This referral may be initiated by the data protection officer or information security officer, or by an appropriate line manager or supervisor who becomes aware of the circumstances indicating a potential breach.

3.8 Analysis and management reporting

3.8.1 Analysis and management reporting is an essential practice to enable key lessons to be learnt in order to maintain a proactive approach to emerging security threats. It provides practical output on types, circumstances and handling practices of an incident. Analysis enables a force to diagnose what a security incident means to a member of staff, build and maintain a suitable security incident response capability, build a framework of management reporting and learn about where and how awareness programmes are delivered.

3.8.2 Such analysis is designed to:

• enable preparedness of a security incident by performing a critical assessment; carrying out threat analysis; addressing issues related to people, process, technology and information; and getting the fundamentals in place
• provide a better response to a security incident by covering identification of a security incident; investigation of the situation, taking appropriate action (e.g. containing the incident and eradicating its source) and recovering from a security incident
• following up a security incident by considering the need to investigate the incident more thoroughly; report the incident to relevant stakeholders; carry out a post incident review; build on lessons learnt; and update key information, controls and processes

3.8.3 The relevant Information Security Officer (ISO) and Data Protection Officer are responsible for the output of this analysis which will be communicated through the relevant force Strategic Board who will consider any necessary changes to policy, procedure/SOP or training.

4.0 Equality Impact Assessment (EIA)

EIA – June 2026.

5.0 Risk assessment

5.1 There is an overall risk concerning the use and management of Essex Police and Kent Police information. Advice and guidance relating to the assessment of risk is contained within the individual procedures/SOPs. The Corporate Risk Register will contain any risks in relation to information security.

6.0 Consultation

6.1 The following have been consulted during the formulation of this document:

• Kent IT Department
• Essex Information Management Department
• Unison / Federation
• H&S / Diversity

7.0 Monitoring and review

7.1 The Information Security Officers in both forces will be responsible for ensuring that this procedure/SOP will remain current in line with other relevant policies and guidance.

7.2 This procedure/SOP will be reviewed by, or on behalf of, the forces’ SIROs every two years.

8.0 Governing force policy

Related force policies or related procedures (Essex) / linked standard operating procedures (Kent)

8.1 Essex Police and Kent Police Joint Policy and Procedures:

• W 1000 Policy – Information Management
• W 1001 Procedure/SOP – ICT Acceptable Use
• W 1002 Procedure/SOP – User Account Management
• W 1005 Procedure/SOP – Information Asset Owners
• W 1006 Procedure/SOP – Government Security Classification Scheme (GSC)
• W 1007 Procedure/SOP – Assurance of Information Assets
• W 1008 Procedure/SOP – Physical Security
• W 1009 Procedure/SOP – Protective Monitoring
• W 1010 Procedure/SOP – Records Management (Physical and Digital)
• W 1011 Procedure/SOP – Data Protection
• W 1012 Procedure/SOP – Records Review, Retention and Disposal
• W 1014 Procedure/SOP – Information Sharing Agreements
• W 1015 Procedure/SOP – Redaction
• W 1016 Procedure/SOP – Encryption of Files and Removable Digital Media
• W 1017 Procedure/SOP – Sanitisation, Re-Use and Disposal
• W 1019 Procedure/SOP – Freedom of Information
• W 1020 Procedure/SOP – Use of Bluetooth
• W 1021 Procedure/SOP – Shared and Stand-alone devices
• W 1022 Procedure/SOP – Data Protection Impact Assessments

8.1.1 Essex only documents:

• W 2006 Procedure - Cryptographic Security
• W 2011 Procedure – Transaction Monitoring and Audit
• W 2013 Procedure – Appropriate Access and Use of Police Information
• W 2020 Procedure – Data Quality
• W 2021 Procedure – Applications for the Early Disposal of Information
• W 2040 Procedure – Record Centre (Dunmow)

8.2 Data security

8.2.1 Essex Police and Kent Police have measures in place to protect the security of your data in accordance with our Information Management Policy – W 1000 Policy – Information Management.

8.3 Retention and disposal of records

8.3.1 Essex Police and Kent Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.

8.3.2 We will only hold data for as long as necessary for the purposes for which we collected.

9.0 Other source documents, e.g. legislation, APP, force forms, partnership agreements (if applicable)

• Essex Police - Information Security website on connEXion
• Essex Police - PFL001
• Essex Police - Info Sec Incident Management Core Hours
• Essex Police - Info Sec Incident Management Out of Hours
• Essex Police - PFL001a
• Kent Police - PFL002