(process_data_incidents)=

# Data incidents

## Purpose

Data incidents such as

- unauthorised data ingress or egress
- unauthorised access
- users breaking the terms-of-use

must be investigated to determine whether any action needs to be taken.

## Scope

This procedure covers data incidents for all projects running in the Turing TRE.

## Responsibilities

:::{table}
:widths: auto
:class: responsibilities

| Role | Responsibility |
| ---- | -------------- |
| Turing data protection representative | Deciding on appropriate action |
| Trusted research lead | Deciding on appropriate action |
| {ref}`role_project_team` representative | Deciding on appropriate action |
| {ref}`role_trusted_research_sysadmin` representative | Deciding on appropriate action |
| {ref}`role_trusted_research_data_manager` representative | Deciding on appropriate action |

:::

## Procedure

1. A data incident meeting should be called as soon as possible after any team member becomes aware of a potential incident.
   The following people should be invited
   - Turing data protection representative
   - {ref}`role_trusted_research_lead`
   - One or more representives of the {ref}`system administrator team <role_trusted_research_sysadmin>`
   - One or more representives of the {ref}`data management team <role_trusted_research_data_manager>`
   - One or more representives of the {ref}`role_project_team`

2. A decision should be taken during this meeting about what action needs to be taken
   This may involve, for example:
   - shutdown of a TRE
   - suspension of a user from the TRE (permanently or temporary)
   - removal of data from a TRE
   - referral to the ICO

3. Someone attending the meeting should be assigned to write a report summarising the reason why the incident occurred and recommending any remedial actions or changes to processes if appropriate.
   - Navigate to **{menuselection}`information_governance --> incident reports`** in Sharepoint
   - Make a copy of the `YYYY-MM-DD_report_template.tex` template with an appropriate name
   - Write up your report of the incident using the template's suggested headers, but feel free to add as much or as little information as is required for the particular incident

4. The report should be shared with everyone who was invited to the incident meeting for comment
   - Amend the report if necessary
   - Convert the report to PDF using the `make_pdf.sh` script