Information Security Incident Process

Information Security Incident Process

Where there is a breach of personal data, including a data loss event or a breach of the Data Processing Schedule within the contract (collectively known as an Information Security Incident), this will need to be reported to the council and investigated.

Contractors must have processes in place to capture and manage information security incidents.

Where regular performance reporting is required by the council, contractors may need to provide Information Security Incident statistical data, with more detailed Information Security Incident evidence being made available if requested.

All Information Security Incidents could be reported to the council’s relevant contract manager or commissioner. The council should be kept informed of the progress on any investigation, and final outcomes.

To report an Information Security Incident, please use a secure method of transfer, e.g. encryption and send it to informationsecurity@gloucestershire.gov.uk.

Please note: if you are using unsecure email (i.e. it is not encrypted), please use the same email address as above but ensure you do not include any personal data or commercially sensitive information.

Criminal incidents (such as theft of equipment that contains council data) should also be reported to the police. The contractor will need to pass on any reference number provided by the police to the council.