Accurate, timely, and secure record-keeping is essential at every stage of incident management and response.
Clear documentation supports:
- effective decision-making
- lessons learnt
- compliance with regulations such as GDPR, data privacy and safeguarding.
Documentation can also protect individuals and the school if there are audits, legal claims or further investigations.
Objectives
- accuracy: records must reflect any actions taken and by who to mitigate the incident, using objective language throughout
- timeliness: records should be made as events unfold or as soon as practicable, with detailed time references to help build an informative timeline
- security: store all records securely, with access limited to those who need to know
- consistency: use a standard format or template, such as our incident event recording form to ensure clarity and completeness
- retention: follow your education settings’ records retention policies
Roles and responsibilities
The SLT digital lead typically oversees the non-technical record keeping and ensures leadership decisions are recorded.
Supported by IT, they are responsible for sharing access with those who have a clear need to know. This includes:
- protecting information from unauthorised access
- clearly labelling documents to help maintain continuity and prevent duplication or omission
IT support is responsible for:
- logs
- forensic data
- technical actions
- system-level details
Formal reporting to external bodies must be done by someone appointed by the SLT digital lead. The SLT and headteacher or principal should be involved, who will then approve a formal report and outline any impact on school or college activity.
Good practice
To maintain best practice, you should:
- assign a named record-keeper during major incidents, such as the SLT Digital Leader or a delegated individual as Incident Leader and if possible, consider assigning a deputy
- use coordinated universal time (UTC) or 24-hour time for timestamps to avoid confusion
- keep a written record, even if actions were also taken verbally or in person
- clearly mark draft documents, use document versioning and update documents as they are finalised
- protect sensitive system and network event logs with encryption or password protection
- document what didn’t happen if relevant, for example "no personal data loss identified"
What to record and when
Include: description of incident, how it was discovered and the initial assessment
Owned by: SLT digital lead, cyber recovery team
When to record: as soon as possible after the detection
Include: chronological list of actions, decisions and timestamps
Owned by: SLT digital lead, cyber recovery team
When to record: during the incident
Include: internal and external communications, such as emails, calls and in-person briefings
Owned by: SLT Digital Lead, school communications lead
When to record: during and after the incident
Include: rationale for key decisions and who made them
Owned by: SLT digital lead
When to record: throughout the incident
Include: system activity, logs from affected devices/networks
Owned by: cyber recovery team
When to record: during technical investigation
Include: details of containment, mitigation and recovery efforts
Owned by: cyber recovery team
When to record: during and after the containment and recovery phases
Include: personal data affected, DPO assessment and ICO notification
Owned by: data protection officer
When to record: if personal data is involved
Include: summaries of strategy meetings or incident reviews
Owned by: SLT digital lead
When to record: as required
Include: summary, lessons learnt and recommendations
Owned by: SLT digital lead, cyber recovery team
When to record: after closure
Include: status of recommended improvements and action owners
Owned by: SLT digital lead
When to record: after the incident
Legal and regulatory considerations
- Article 33/34 of the UK GDPR: maintain breach notification records (72-hour rule)
- Data Protection Act 2018: includes specific UK exemptions to GDPR and rules for handling children’s data
- Freedom of Information (FOI): incident records may be subject to FOI requests
- Audit/inspection readiness if applicable: good records demonstrate governance and compliance
- Safeguarding Duty of Care: records may support child protection issues if relevant