Notification
The purpose of notification is to ensure all relevant stakeholders are appropriately informed of the incident. This should be done in a timely way that is compliant with legal, regulatory, contractual, and internal obligations.
To ensure good practice you should:
- use pre-approved templates for notifications where available
- keep communications factual and neutral, avoiding speculation or blame
- avoid unnecessary delay as timely notification may reduce impact, including reputational damage
- document the decision-making process and rationale for notifying or not notifying where there is uncertainty
Objectives
Notification aims to:
- communicate clearly and promptly to those affected or required to take action
- comply with statutory notification requirements (such as GDPR, DfE and, ICO)
- manage reputational risk through accurate and proportionate messaging
- provide transparency and accountability within the educational setting or trust
Roles and responsibilities
The SLT digital lead coordinates all communications and owns internal escalation decisions.
The cyber recovery team provides technical input on impact, scope, and mitigation to informs notifications.
The DPO advises on data protection duties and manages ICO reporting.
Generic notification actions
- Based on data involved, severity, and scope, the SLT digital lead, DPO, headteacher, and IT team assess is a notification is needed.
- The SLT digital lead, SLT and DPO determine who receives a notification. This may include learners, staff, guardians, governors, third parties, and the local authority.
- The SLT digital lead and SLT notify internal stakeholders (for example, safeguarding, pastoral, HR, finance).
- The DPO, headteacher, and IT team notify external bodies (for example, ICO, DfE, police, local authority, insurers, and IT providers)
- The DPO, SLT, and communications lead notify affected individuals (such as data subjects). This may include sending letters, emails, and making phone calls while following GDPR guidance.
- The SLT digital lead and incident response lead log all notifications, including timestamp, method, message content, and recipients.
- The SLT and communications lead prepare public-facing messages, if needed (for example, media, website, social media if an incident escalates).
Reporting to external bodies
DfE standards require any formal reporting to external bodies (such as Report Fraud) is done by someone appointed by the SLT digital lead and involves the:
- SLT and headteacher or principal, who will approve a formal report and outline any impact on educational setting or college activity
- IT support team, who will investigate and resolve the issue
- DPO, who will establish if a data breach has occurred
- designated safeguarding lead, who will review if there are any safeguarding issues and related actions
- governors and trustees, who will need to be informed on the risk and the actions the educational setting or college are taking to resolve it
Legal and regulatory notification triggers
Information Commissioner’s Office (UK GDPR)
If a personal data breach happens that is likely to result in risk to individuals’ rights and freedoms, you must report within 72 hours of becoming aware. The ICO have further guidance on when an incident should be reported.
Local authority
The requirement to notify depends on contractual obligations or funding arrangements but should be done as soon as possible.
Police or Report Fraud
Report cybercrime such as ransomware, hacking, and financial fraud immediately.
Parents and guardians
When children’s data is involved or there is safeguarding impact, notification is on a case-by-case basis.
Record keeping
Update the incident log to include:
- notification decision (who, when, why, how)
- copies of messages and emails sent
- confirmations of receipt if available
- records of advice received