1. Purpose
This procedure explains how Equra College London (“Equra”) responds to suspected or confirmed personal data breaches and information security incidents, to reduce harm, meet legal duties, and prevent recurrence.
2. Scope
This procedure applies to:
- Any suspected or confirmed loss, unauthorised disclosure, alteration, destruction, or access to personal data held by Equra
- Any security incident that could affect the confidentiality, integrity or availability of Equra information, systems or devices
This includes incidents involving email, cloud storage, learning platforms, paper records, devices, and third-party suppliers.
3. What is a personal data breach
A personal data breach is a security incident that leads to accidental or unlawful:
- destruction, loss or alteration of personal data, or
- unauthorised disclosure of, or access to, personal data.
4. Roles and responsibilities
- All staff and authorised users: must report incidents immediately.
- Data Protection Lead (DPL): leads breach assessment, reporting decisions, and communication plans.
- Information Security Lead (ISL): leads technical containment, investigation and remediation.
- Senior Management / Governing Body: oversight, decision support, and resourcing where required.
- System Owners / Suppliers: cooperate in investigation and containment as required.
5. Reporting an incident
Incidents must be reported immediately to:
dataprotection@equracollege.org.uk (or info@equracollege.org.uk until set)
Where urgent, staff should also notify their line manager and the Information Security Lead.
6. Immediate actions for the person who discovers the incident
If safe to do so, the reporter should:
- Stop further disclosure or access (for example, recall email where possible, remove access link, lock paper file)
- Disconnect affected device from internet if malware suspected
- Preserve evidence (screenshots, email headers, system messages)
- Do not delete emails or logs that may be needed
- Escalate immediately to the DPL/ISL
7. Incident triage and logging
7.1 Equra will log every reported incident in a breach/incident register, including near misses.
7.2 The DPL/ISL will assign a severity rating and confirm next actions.
Minimum log fields:
- Date/time discovered and reported
- Reporter name and role
- Systems/data involved
- Summary of incident
- Containment actions
- Risk assessment
- Notification decisions
- Remedial actions and closure date
8. Containment and recovery
Equra will take immediate steps to contain the incident, which may include:
- Resetting passwords and enabling MFA
- Removing access permissions and disabling accounts
- Recalling emails and revoking sharing links
- Quarantining or wiping compromised devices where appropriate
- Restoring systems from backups where required
- Securing paper records and limiting access
Recovery actions will be proportionate and designed to minimise disruption while protecting data.
9. Investigation
Equra will investigate to determine:
- What happened and when
- What data was involved (type and volume)
- Who may have been affected
- Whether the data was accessed, altered, exfiltrated, or destroyed
- Root cause (human error, system failure, malicious attack, supplier failure)
- What controls failed or were missing
Investigation outputs should include a clear chronology and evidence summary.
10. Risk assessment and harm analysis
Equra will assess risks to individuals, including:
- The sensitivity of data (e.g., safeguarding, health, financial)
- Likelihood of misuse
- Potential impact (identity theft, distress, discrimination, physical risk)
- Whether data was encrypted or otherwise protected
- Whether the data is likely to be accessed by unauthorised persons
11. Decision on ICO notification
11.1 The DPL will decide whether the breach is likely to result in a risk to the rights and freedoms of individuals.
11.2 Where notification is required, Equra will notify the ICO without undue delay and where feasible within 72 hours of becoming aware of the breach.
11.3 If notification is delayed, Equra will document reasons.
12. Notification to affected individuals
12.1 Where the breach is likely to result in a high risk to individuals, Equra will notify affected individuals without undue delay.
12.2 Notifications will be clear and include:
- What happened (high level)
- What data was involved
- Likely consequences
- What Equra has done to address it
- What the individual can do to protect themselves
- Contact details for further information
Equra may delay notification where advised by law enforcement or where immediate notification would increase risk.
13. Supplier and partner incidents
Where the incident involves a supplier or partner:
- Equra will require immediate notification under contractual terms where applicable
- Equra will coordinate investigation and corrective actions
- Equra will assess whether Equra must notify the ICO and individuals
- Equra will document supplier cooperation and assurances
14. Communications and confidentiality
Only authorised persons may communicate externally about incidents. Staff must not discuss incidents publicly or on social media. Communications must be factual and privacy-protective.
15. Remedial actions and lessons learned
After containment, Equra will implement improvements, which may include:
- Staff training and process changes
- Access control tightening
- Technical controls (MFA, encryption, monitoring)
- Supplier assurance improvements
- Updates to policies and templates
Equra will record lessons learned and confirm closure criteria.
16. Close-out and retention of incident records
16.1 Incidents will be closed only when containment, investigation, and remedial actions are completed or appropriately planned.
16.2 Incident records will be retained in line with Equra’s retention schedule.
17. Review
This procedure will be reviewed annually or sooner if required by incidents or changes in law/regulation.