Back to Home
AttendTrack

Incident Response & Notification Policy

How AttendTrack responds to and reports data security incidents

Last Updated: 6 March 2026Version 1.0

1. Purpose and Scope

This Incident Response and Notification Policy sets out how AttendTrack (operated by Vince James) detects, manages, investigates, and reports personal data breaches and security incidents in accordance with:

  • UK General Data Protection Regulation (UK GDPR), Articles 33 and 34
  • Data Protection Act 2018
  • ICO guidance on personal data breaches

This policy applies to all personal data processed through the AttendTrack platform, including pupil attendance data, staff account data, and any other personal information held on behalf of our school customers.

2. What Constitutes an Incident

A security incident or data breach includes any event that leads to, or could lead to:

  • Unauthorised access to personal data
  • Accidental or unlawful destruction of personal data
  • Loss or alteration of personal data
  • Unauthorised disclosure of personal data
  • Unavailability of personal data (e.g. through ransomware or system failure)

Examples specific to AttendTrack include: a breach of a school's attendance records, unauthorised login to a staff account, exposure of pupil data through a software vulnerability, loss of data due to infrastructure failure, or unauthorised access to parent/guardian voicemail recordings or their transcriptions stored on the platform.

3. Incident Severity Classification

Critical

Confirmed breach affecting multiple schools or large volumes of personal data. High risk to data subjects' rights and freedoms.

High

Confirmed or suspected breach affecting a single school. Potential risk to data subjects.

Low

Minor security event with no personal data affected, or very limited scope with minimal risk.

4. Incident Response Procedure

1

Detection and Initial Assessment

0-2 hours
  • Immediately cease any activity that may worsen the breach
  • Assess whether personal data has been or may be affected
  • Classify the incident by severity (Critical / High / Low)
  • Assign incident ownership to Vince James as the designated Data Protection lead
2

Containment

0-4 hours
  • Isolate affected systems where possible
  • Revoke compromised credentials or access tokens
  • Engage Abacus.AI infrastructure support to investigate and contain the issue
  • Preserve evidence (logs, screenshots, error reports) for investigation
3

School Notification

We will notify affected school(s) as follows:

Critical incidents: within 4 hours via email and telephone
High incidents: within 24 hours via email
Low incidents: within 72 hours via email

Our notification to schools will include:

  • Nature of the incident and data involved
  • Approximate number of individuals affected
  • Steps already taken to contain the breach
  • Recommended actions for the school
  • A named point of contact at AttendTrack
4

ICO Notification (where required)

Under UK GDPR Article 33, a personal data breach that is likely to result in a risk to individuals' rights and freedoms must be reported to the ICO within 72 hours of AttendTrack becoming aware.

The ICO can be notified at: ico.org.uk/report-a-breach

5

Investigation and Remediation

  • Conduct a full root cause analysis
  • Implement technical fixes and preventive measures
  • Update security practices as required
  • Provide a written incident report to affected schools within 7 days
6

Post-Incident Review

  • Document all findings in the AttendTrack incident log
  • Review and update this policy if gaps are identified
  • Implement any additional security controls required

5. School Responsibilities

Schools (as Data Controllers) also have obligations under UK GDPR in the event of a breach, including:

  • Notifying the ICO within 72 hours if the breach is likely to result in risk to individuals
  • Notifying affected individuals (parents, pupils, staff) where the risk is high
  • Cooperating with our investigation and providing any relevant information

We will support schools in meeting these obligations by providing all relevant information as promptly as possible.

6. Contact for Reporting

If a school becomes aware of a potential incident involving AttendTrack data, please contact us immediately:

AttendTrack Security Contact

Vince James — Data Protection Lead

[email protected]
07533 183823

7. Policy Review

This policy will be reviewed annually, or following any significant security incident, whichever is sooner. The current version is maintained at attendtrack.co.uk/incident-response-policy.

Related Documents

Privacy PolicyData Processing Agreement