(data_incidents)=

# Investigate data incidents

> This task is the responsibility of {ref}`role_tresa`.

If there is any suspicion of a data incident such as:

- unauthorised data ingress or egress
- unauthorised access
- users breaking the terms-of-use

then an incident report meeting will be held as soon as possible.

The following people should be invited to this meeting:

- Turing data protection representative
- {ref}`role_tresa` lead
- {ref}`role_tresa` administrator contact
- project PI
- project referee

During the meeting a decision should be made about what action needs to be taken.
This may involve, for example:

- shutdown of a TRE
- suspension of a user from the TRE (permanently or temporary)
- removal of data from a TRE

A report of the incident should be written up and stored for the Turing's records:

## Report data incidents

1. Navigate to Sharepoint and `information_governance` -> `incident reports`
2. Make a copy of `YYYY-MM-DD_report_template.tex` template to write a report and give it an appropriate name
3. Write up your report of the incident using the template's suggested headers, but feel free to add as much or as little information as is required for the particular incident
4. Convert the report to PDF using the `make_pdf.sh` script
5. Share with everyone who was invited to the incident meeting for comment (see above)
6. Edit the report as needed and ensure the final PDF is saved in the `incident reports` folder