Incident Response Plan Template for Philippine Schools

How to Use This Template

An incident response plan (IRP) tells your team exactly what to do when a breach happens — before panic sets in. Fill in the bracketed sections with your school's contacts and details, then share it with your principal, DPO, and IT coordinator.

Review and test this plan at least once a year. Run a tabletop exercise where your team walks through a simulated breach scenario using this document.

[SCHOOL NAME] Incident Response Plan

Version: [1.0]

Last Reviewed: [Date]

Next Review Due: [Date + 1 year]

Owner: [Data Protection Officer Name]

1. Purpose and Scope

This Incident Response Plan establishes the procedures [School Name] will follow when a personal data breach or cybersecurity incident is detected. It covers all systems, devices, and personnel that process personal data belonging to students, parents, faculty, and staff.

2. Incident Response Team

Primary Contacts

Incident Commander (usually principal or administrator):

• Name: [Name]
• Mobile: [Number]
• Email: [Email]

Data Protection Officer (DPO):

• Name: [Name]
• Mobile: [Number]
• Email: [Email]

IT Coordinator:

• Name: [Name]
• Mobile: [Number]
• Email: [Email]

Legal Counsel (if available):

• Name: [Name / Law Firm]
• Mobile: [Number]
• Email: [Email]

External Contacts

National Privacy Commission (NPC):

• Hotline: 1800-1-767-7262 (1800-1-NPC-PCAB)
• Email: complaints@privacy.gov.ph
• Breach notification: privacy.gov.ph

DICT Cybersecurity Bureau:

• Email: cybersecurity@dict.gov.ph

Local Police (if criminal activity suspected):

• Station: [Your local station]
• Number: [Number]

3. What Counts as an Incident

Activate this plan for any of the following:

• Unauthorized access to student or staff records
• Ransomware or malware infection on school systems
• Lost or stolen devices containing personal data
• Accidental disclosure of personal data (wrong email recipient, etc.)
• Phishing attack resulting in compromised account credentials
• Website defacement or data destruction
• Third-party vendor reporting a breach affecting your school's data

4. Response Phases

Phase 1: Detection and Reporting (Hour 0)

Who detects it: Anyone — teacher, admin, IT staff, student, or external party

What to do immediately:

1. 1Do NOT shut down or wipe affected systems (evidence preservation)
2. 2Disconnect the affected system from the network (unplug ethernet or disable WiFi)
3. 3Report to the IT Coordinator and DPO immediately by phone — do not use potentially compromised email
4. 4Document what you observed: time, what you saw, what you did

IT Coordinator initial actions:

• Verify the incident is real (not a false alarm)
• Preserve evidence (screenshots, log files, error messages)
• Determine if the incident is ongoing or contained
• Notify the Incident Commander

Phase 2: Assessment (Hours 1–4)

The Incident Response Team convenes (in person or by call) to assess:

What happened?

• [ ] Type of incident: [ransomware / unauthorized access / data exposure / phishing / other]
• [ ] Systems or accounts affected: [List]
• [ ] Is the incident ongoing or contained?

What data is involved?

• [ ] Data types: [student records / grades / health / financial / staff data / other]
• [ ] Approximate number of records or individuals affected: [Number]
• [ ] Does this include sensitive personal information (health, minors' data, financial)?

Notification required?

The DPA requires NPC notification within 72 hours if the breach involves sensitive personal information and is likely to adversely affect data subjects. For Philippine schools, most student data qualifies. When in doubt, notify.

• [ ] NPC notification required: Yes / No / Assessing
• [ ] Deadline: [Date/Time — 72 hours from time of discovery]

Phase 3: Containment (Hours 1–24)

IT Coordinator actions:

• Isolate affected systems from the network
• Change all compromised account passwords
• Revoke access tokens or API keys if applicable
• Block malicious IP addresses or email senders at the firewall/mail gateway
• Preserve forensic evidence (do not wipe systems until evidence is secured)
• Enable enhanced logging on adjacent systems

DPO actions:

• Begin drafting the NPC breach notification form
• Identify all affected data subjects
• Prepare a list of individuals who may need to be notified

Phase 4: NPC Notification (Within 72 Hours)

If notification thresholds are met, submit the NPC Breach Notification Form:

1. 1Download the form from privacy.gov.ph
2. 2Complete all required fields:

- Nature and scope of the breach

- Types of personal data involved

- Estimated number of affected data subjects

- Likely consequences of the breach

- Measures taken or planned to address the breach

- DPO contact details

1. 1Submit via email to complaints@privacy.gov.ph or through the NPC portal
2. 2Save confirmation of submission

NPC Notification Checklist:

• [ ] Form downloaded from privacy.gov.ph
• [ ] All fields completed
• [ ] Submitted within 72 hours
• [ ] Confirmation saved

Phase 5: Individual Notification

Notify affected individuals (parents/guardians for students) when the breach poses a real risk of harm. Use this template:

Subject: Important Notice Regarding Your [Child's / Your] Personal Information

Dear [Parent/Guardian / Staff Member],

We are writing to inform you of a data security incident at [School Name] that may have affected personal information related to [your child / you].

What happened: [Plain-language description — e.g., "On [date], we discovered that unauthorized individuals gained access to our enrollment system."]

What information was involved: [Specific data types — e.g., "Student names, dates of birth, and contact information."]

What we have done: [Steps taken — e.g., "We have secured the affected system, changed all access credentials, and reported the incident to the National Privacy Commission."]

What you should do: [Specific actions — e.g., "Be alert for suspicious calls or emails using your child's information. If you receive anything unusual, please contact us immediately."]

We take the protection of personal information very seriously and sincerely apologize for any concern this incident may cause. Please contact [DPO Name] at [email/phone] if you have questions.

Sincerely,

[School Administrator Name]

[School Name]

Phase 6: Recovery (Week 1–4)

Week 1:

• [ ] Root cause analysis complete
• [ ] Vulnerability that was exploited identified and patched
• [ ] All affected accounts re-secured
• [ ] Systems restored from clean backups (if needed)

Week 2:

• [ ] Security audit of adjacent systems
• [ ] Staff briefing on what happened and how to prevent recurrence
• [ ] Updated security controls in place

Month 1:

• ] Full security review (use the [Security Scorecard)
• [ ] Incident documented in breach register
• [ ] Incident response plan updated based on lessons learned

Phase 7: Post-Incident Review

Within 30 days of resolution, hold a post-incident review meeting:

Questions to answer:

1. 1How was the incident detected? Was detection fast enough?
2. 2What was the root cause?
3. 3What controls failed? What controls worked?
4. 4Was the response timely and effective?
5. 5What would we do differently?
6. 6What policy or technical changes are needed?

Document the answers and update this IRP accordingly.

5. Breach Register

Maintain a log of all incidents (even minor ones) in your Breach Register:

| Date | Incident Type | Systems Affected | Records Affected | NPC Notified | Resolved Date | Lessons Learned |

|------|--------------|-----------------|-----------------|--------------|---------------|-----------------|

| [Date] | [Type] | [Systems] | [Count] | Yes/No | [Date] | [Notes] |

6. Plan Maintenance

• Review annually or after any significant incident
• Test annually with a tabletop exercise
• Update when key contacts change
• Train new staff on this plan during onboarding

Related Resources

• What To Do When Your School Gets Breached — step-by-step response guide
• 10-Point School Cybersecurity Checklist — proactive prevention
• DPA Compliance Checker — assess your compliance posture