Data & Incident Breach Management Policy

1. Purpose

This policy defines the process for identifying, managing, and responding to security incidents and data breaches within our systems and platforms. Its primary objectives are to:

  • Minimise the impact of security incidents on users, data, and operations
  • Ensure a consistent, coordinated, and timely response to all incidents regardless of severity
  • Meet applicable legal, regulatory, and contractual obligations relating to data protection and breach notification
  • Support continuous improvement of security controls through structured post-incident review

This policy applies to all incidents affecting systems operated by the organisation, whether they originate internally or externally, and whether they are accidental or deliberate in nature.

2. Scope

This policy applies to all components of the organisation's technology environment, including:

  • The web application (frontend interfaces, backend services, and APIs)
  • All databases and stored data assets
  • Infrastructure and hosting environments (including cloud services and third-party hosting providers)
  • All individuals with access to these systems, including employees, contractors, consultants, and third-party partners

Any person who becomes aware of a potential security incident — regardless of their role — is expected to report it immediately in accordance with this policy.

3. Definition of a Security Incident

A security incident is any event that threatens the confidentiality, integrity, or availability of the organisation's systems or data. Incidents include but are not limited to:

  • Unauthorised access to systems, accounts, or administrative panels
  • Exposure or leakage of sensitive data, including personally identifiable information (PII), financial data, or proprietary content
  • Compromised credentials or API keys, including stolen passwords, leaked tokens, or misused authentication credentials
  • Malware, ransomware, or system exploitation, including the introduction of malicious code or exploitation of software vulnerabilities
  • Service disruption caused by denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • Accidental data exposure, such as misconfigured storage buckets, public-facing internal documents, or unintended data sharing

Not every anomaly constitutes an incident. Unusual activity that does not meet the threshold of a confirmed or suspected breach may be logged as a security event and monitored without triggering the full incident response process. The Incident Response Lead makes this determination.

4. Roles and Responsibilities

Clear ownership is essential to an effective incident response. The following roles are assigned for all incidents:

Incident Response Lead

Coordinates the overall response, makes key decisions regarding containment and escalation, serves as the primary point of contact across teams, and ensures the incident is resolved and documented in a timely manner. In the absence of a designated lead, the most senior available team member assumes this role.

Technical Team

Investigates the incident, implements containment measures, identifies root causes, applies fixes and patches, and validates system integrity before returning services to production. The technical team is responsible for preserving all logs and forensic evidence throughout the process.

Compliance and Management

Assesses the legal and regulatory implications of the incident, determines whether breach notification obligations are triggered, and ensures the organisation's response aligns with applicable data protection laws and contractual commitments.

Communications

Manages all internal and external communications relating to the incident, including notifying affected users, drafting stakeholder updates, and preparing any required regulatory notifications. All external communications must be reviewed and approved before release.

Chief Technology Officer (CTO)

The CTO holds ultimate responsibility for all actions required under this policy. This includes ensuring that the incident response framework is properly resourced and followed, that all team members with relevant responsibilities are trained and prepared, and that the organisation's technical security posture is continuously improved in light of incidents and emerging threats. The CTO is also responsible for ensuring this policy remains current at all times, commissioning reviews whenever circumstances require it, and approving all updates before they take effect.

5. Incident Severity Levels

All incidents are classified upon detection and reclassified if new information emerges during investigation.

  • Critical — Confirmed data breach or major system compromise affecting sensitive data or core functionality. Response time: immediate, within 1 hour.
  • High — Unauthorised access confirmed or strongly suspected, with potential impact on data or users. Response time: within 4 hours.
  • Medium — Suspicious activity detected requiring investigation; no confirmed breach. Response time: within 24 hours.
  • Low — Minor anomaly or policy violation with no significant impact on data or operations. Response time: within 72 hours.

Severity classifications directly determine the urgency of escalation, the personnel involved, and whether external notification is required.

6. Incident Response Process

6.1 Identification

Incidents may be detected through automated monitoring and alerting tools, reports from internal team members, user-submitted reports, third-party security disclosures, or routine system audits. Upon detection, the person who identifies the incident must immediately notify the Incident Response Lead and log the following:

  • Date and time of detection
  • Systems or data assets believed to be affected
  • A brief description of the observed anomaly
  • An initial severity assessment

6.2 Containment

Containment begins immediately upon confirmation that an incident is in progress. The technical team takes the following actions as appropriate to the nature of the incident:

  • Disabling compromised user accounts or administrative credentials
  • Revoking active sessions, API tokens, and authentication keys
  • Isolating affected systems or services from the wider infrastructure to prevent lateral spread
  • Blocking suspicious IP addresses or traffic patterns where technically feasible

Containment measures are documented in real time and must not destroy evidence required for subsequent investigation.

6.3 Investigation

Once the incident is contained, the technical team conducts a structured investigation to determine:

  • The root cause
  • The full scope of systems and data affected
  • The method of attack or failure
  • The timeline of events from initial compromise to detection
  • Whether any data was exfiltrated, altered, or destroyed

All logs, system snapshots, and forensic evidence are preserved securely and must not be modified or deleted during or after the investigation.

6.4 Eradication and Recovery

Following investigation, the technical team implements the necessary remediation steps, which may include:

  • Patching identified vulnerabilities
  • Removing malicious code or unauthorised access points
  • Resetting all affected credentials and tokens
  • Restoring systems from verified clean backups where necessary

Before any affected system is returned to production, integrity validation must be completed to confirm that the threat has been fully eradicated and that restored data is accurate and complete.

6.5 Notification

Notification obligations are assessed by the Compliance and Management role. Internal stakeholders are notified immediately upon confirmation of a Critical or High severity incident. Affected users are notified as soon as practically possible when their personal data has been or may have been exposed, with clear information about:

  • What data was affected
  • What the organisation is doing in response
  • What steps users should take to protect themselves

Where applicable data protection regulations require notification to a supervisory authority or regulatory body — for example under GDPR within 72 hours of becoming aware of a breach — this obligation takes precedence and must be met within the required timeframe. All notifications are documented, including the date, content, and recipients.

6.6 Post-Incident Review

Within five business days of incident resolution, the Incident Response Lead convenes a post-incident review meeting with all relevant team members. The review covers:

  • The full incident timeline
  • The effectiveness of the response
  • Root cause analysis
  • Any gaps in detection, containment, or communication that were identified

Outcomes from the review are used to update security controls, revise procedures, and inform staff training. All findings are recorded in the organisation's risk register.

7. Data Protection During Incidents

Throughout the incident response process, the organisation is committed to handling all data — including evidence and logs — with the same care applied under normal operations:

  • Access to sensitive data during an incident is restricted to those with a direct need
  • Encryption is applied to all evidence stored or transmitted during the response
  • Unnecessary exposure or duplication of personal data is avoided at all times
  • Evidence is stored in a secure, access-controlled location and retained for a minimum of twelve months following incident closure

8. Documentation Requirements

A complete incident record must be created and maintained for every security incident, regardless of severity. Each record must include:

  • A detailed timeline of events from detection to resolution
  • A description of all actions taken and by whom
  • An impact assessment covering systems, data, and users affected
  • Full resolution details including fixes applied and systems restored
  • A lessons learned summary

Incident records are stored securely, accessible only to authorised personnel, and retained in accordance with the organisation's data retention policy.

9. Testing and Review

The organisation conducts periodic incident response exercises — including tabletop simulations and technical drills — to test the effectiveness of this policy and the readiness of the response team. These exercises are conducted at least once per year.

This policy is formally reviewed annually, or sooner following any of the following:

  • Any Critical or High severity incident
  • A significant change to the organisation's technology environment
  • An update to applicable legal or regulatory requirements

The review is led by the Compliance and Management role and approved by the CTO. The CTO holds ultimate ownership of this policy and is responsible for ensuring it is reviewed, updated, and enforced at all times — including outside of scheduled review cycles should operational, legal, or technical changes require it.

10. Compliance

All incident handling activities must align with applicable legal and regulatory requirements, including but not limited to:

  • Relevant data protection legislation in the jurisdictions in which the organisation operates
  • Contractual obligations to clients, partners, and hosting providers
  • Industry standards and frameworks relevant to information security

Non-compliance with this policy by any individual with system access may result in disciplinary action, suspension of access rights, or legal consequences depending on the nature and severity of the breach.

This policy is owned by the Chief Technology Officer (CTO), who is responsible for its maintenance, enforcement, and timely update. All team members with system access are required to familiarise themselves with its contents.