Structured governance assurance for UK school governing boards.

Data Breach Procedure

How we detect, respond to, and report personal data breaches under UK GDPR.

Effective: 1 May 2026
Version: 2026-05-01-v1
UK GDPR Articles 33–34

Contents

  1. What is a data breach
  2. Our response procedure
  3. ICO notification
  4. School notification
  5. Data subject notification
  6. Breach register
  7. Prevention and review
  8. How to report a suspected breach

This document sets out the School Governance Assurance Framework's procedure for detecting, containing, assessing, and reporting personal data breaches in compliance with UK GDPR Articles 33 and 34. It applies to all data processed through the SGAF platform.

1 What is a data breach

A personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Examples relevant to the School Governance Assurance Framework include:

  • Unauthorised access to a school's assessment data by a person outside that school's account
  • Accidental exposure of school governance data through a platform vulnerability
  • Loss of database backup containing personal data
  • Compromised authentication allowing access to another user's account
  • Inadvertent disclosure of governor names or school data to an unauthorised third party
  • Ransomware or malware affecting the platform infrastructure

Not all security incidents constitute data breaches. A breach occurs only when personal data is affected.

2 Our response procedure

Our breach response follows four phases:

Phase 1: Detect and contain

  • Identify the breach and determine the initial scope
  • Isolate affected systems to prevent further unauthorised access
  • Preserve evidence for investigation
  • Revoke compromised credentials or session tokens where applicable

Phase 2: Assess

  • Determine the categories of personal data affected
  • Estimate the number of data subjects affected
  • Assess the likely consequences for affected individuals and schools
  • Determine whether the breach is likely to result in a risk to the rights and freedoms of data subjects

Phase 3: Notify

  • Notify the ICO within 72 hours if the breach is likely to pose a risk to rights and freedoms (see section 3)
  • Notify affected schools immediately, regardless of whether ICO notification is required (see section 4)
  • Notify affected data subjects where the breach is likely to result in high risk (see section 5)

Phase 4: Review

  • Conduct a post-incident review within 14 days of the breach being contained
  • Document root cause, timeline, impact, and remediation steps
  • Update security measures, procedures, and training where needed
  • Record all findings in the breach register (see section 6)

3 ICO notification

Where a breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.

How we notify the ICO

  • Via the ICO's online breach reporting tool at ico.org.uk
  • Or by calling the ICO helpline on 0303 123 1113

Content of notification

Our notification to the ICO will include:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
  • The name and contact details of the data controller (Joshua Mangas)
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

When notification is not required

We are not required to notify the ICO if the breach is unlikely to result in a risk to the rights and freedoms of individuals. This assessment considers the nature and sensitivity of the data, the severity and consequences of the breach, and any mitigation measures in place (such as encryption).

4 School notification

As a data processor, we notify affected schools (data controllers) immediately upon discovery of any breach affecting their data. This notification is sent regardless of whether ICO notification is required.

How we notify schools

Notification is sent to the email address registered on the school's account.

Content of school notification

  • What happened and when
  • What data was affected
  • What we are doing about it
  • What the school should do (including whether they need to notify their own data subjects under UK GDPR Article 34)
  • Contact details for further information

Timeline

We aim to notify affected schools within one UK working day of becoming aware of the breach. Where notification cannot be completed within this timeframe, we will provide an initial notification with the information available and follow up as the investigation progresses.

School responsibilities

As data controllers, schools are responsible for assessing whether they need to notify their own data subjects (governors, staff) based on their obligations under UK GDPR. We will assist schools in making this assessment.

5 Data subject notification

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected data subjects without undue delay.

Content of data subject notification

Notifications to data subjects will be in clear, plain language and will describe:

  • The nature of the breach
  • What personal data was affected
  • What measures we have taken to address the breach
  • What steps the individual can take to protect themselves
  • How to contact us for further information

When notification is not required

Notification to data subjects is not required if:

  • The data was protected by encryption or other measures that render it unintelligible to unauthorised persons
  • We have taken subsequent measures that ensure the high risk is no longer likely to materialise
  • Notification would involve disproportionate effort, in which case a public communication or similar measure may be used instead

6 Breach register

We maintain a register of all suspected and confirmed data breaches, regardless of whether they are reported to the ICO or data subjects.

What the register records

  • Date and time the breach was discovered
  • Date and time the breach occurred (if different)
  • Nature of the breach and categories of data affected
  • Number of data subjects and records affected
  • Likely consequences of the breach
  • Remedial actions taken
  • Decisions on notification (ICO, schools, data subjects) with reasoning
  • Outcome of post-incident review

The breach register is available to the ICO on request and is reviewed annually to identify patterns and improve security measures.

7 Prevention and review

We take a proactive approach to preventing data breaches:

  • Post-incident reviews are completed within 14 days of each breach being contained
  • Security measures are updated based on findings from breach investigations
  • This breach procedure is reviewed annually and updated as needed
  • Technical security measures (encryption, access controls, row-level security) are maintained and monitored continuously

Related policies

8 How to report a suspected breach

If you suspect a data breach or security incident affecting the School Governance Assurance Framework, please report it immediately:

  • Email: info@governanceassurance.co.uk with the subject line "Data Breach Report"
  • Include: what happened, when you became aware, what data may be affected
  • Response time: we aim to acknowledge your report within one UK working day

If you believe a breach is actively ongoing (for example, an unauthorised person has access to your school's account), contact us immediately and change your account email if possible.

Questions about this procedure?

Contact us at info@governanceassurance.co.uk or see our Data Protection page for full details of our data protection practices.