Security Incident and Breach Notification Procedure

1. Scope

This procedure applies to incidents affecting confidentiality, integrity, or availability of smartHMO systems and personal data.

2. Incident lifecycle

1. Detect and triage incident severity.
2. Contain and isolate affected systems.
3. Investigate root cause and impact scope.
4. Remediate, recover, and verify integrity.
5. Document lessons learned and preventive actions.

3. Breach assessment criteria

smartHMO evaluates whether personal data is involved, what categories are affected, expected risk to individuals, and whether statutory notification duties are triggered.

4. Notification commitments

• Notify affected controllers/customers without undue delay.
• Provide known facts, likely impact, and mitigation actions.
• Support controllers to meet regulatory and individual-notice duties.
• Where controller obligations require, support notification in the 72-hour statutory window.

5. Evidence and records

smartHMO keeps incident records including timeline, affected systems, impact analysis, actions taken, and closure approvals.

6. Contact

Security and breach notifications should be sent to support@smarthmo.co.uk.