A ready-to-use incident response plan template covering the full breach lifecycle — from detection to recovery. Customize with your school's contacts and procedures.
An incident response plan (IRP) tells your team exactly what to do when a breach happens — before panic sets in. Fill in the bracketed sections with your school's contacts and details, then share it with your principal, DPO, and IT coordinator.
Review and test this plan at least once a year. Run a tabletop exercise where your team walks through a simulated breach scenario using this document.
Version: [1.0]
Last Reviewed: [Date]
Next Review Due: [Date + 1 year]
Owner: [Data Protection Officer Name]
This Incident Response Plan establishes the procedures [School Name] will follow when a personal data breach or cybersecurity incident is detected. It covers all systems, devices, and personnel that process personal data belonging to students, parents, faculty, and staff.
Incident Commander (usually principal or administrator):
Data Protection Officer (DPO):
IT Coordinator:
Legal Counsel (if available):
National Privacy Commission (NPC):
DICT Cybersecurity Bureau:
Local Police (if criminal activity suspected):
Activate this plan for any of the following:
Who detects it: Anyone — teacher, admin, IT staff, student, or external party
What to do immediately:
IT Coordinator initial actions:
The Incident Response Team convenes (in person or by call) to assess:
What happened?
What data is involved?
Notification required?
The DPA requires NPC notification within 72 hours if the breach involves sensitive personal information and is likely to adversely affect data subjects. For Philippine schools, most student data qualifies. When in doubt, notify.
IT Coordinator actions:
DPO actions:
If notification thresholds are met, submit the NPC Breach Notification Form:
- Nature and scope of the breach
- Types of personal data involved
- Estimated number of affected data subjects
- Likely consequences of the breach
- Measures taken or planned to address the breach
- DPO contact details
NPC Notification Checklist:
Notify affected individuals (parents/guardians for students) when the breach poses a real risk of harm. Use this template:
Subject: Important Notice Regarding Your [Child's / Your] Personal Information
Dear [Parent/Guardian / Staff Member],
We are writing to inform you of a data security incident at [School Name] that may have affected personal information related to [your child / you].
What happened: [Plain-language description — e.g., "On [date], we discovered that unauthorized individuals gained access to our enrollment system."]
What information was involved: [Specific data types — e.g., "Student names, dates of birth, and contact information."]
What we have done: [Steps taken — e.g., "We have secured the affected system, changed all access credentials, and reported the incident to the National Privacy Commission."]
What you should do: [Specific actions — e.g., "Be alert for suspicious calls or emails using your child's information. If you receive anything unusual, please contact us immediately."]
We take the protection of personal information very seriously and sincerely apologize for any concern this incident may cause. Please contact [DPO Name] at [email/phone] if you have questions.
Sincerely,
[School Administrator Name]
[School Name]
Week 1:
Week 2:
Month 1:
Within 30 days of resolution, hold a post-incident review meeting:
Questions to answer:
Document the answers and update this IRP accordingly.
Maintain a log of all incidents (even minor ones) in your Breach Register:
| Date | Incident Type | Systems Affected | Records Affected | NPC Notified | Resolved Date | Lessons Learned |
|------|--------------|-----------------|-----------------|--------------|---------------|-----------------|
| [Date] | [Type] | [Systems] | [Count] | Yes/No | [Date] | [Notes] |