Written by Policy Pros, UK Policy Writing Specialists at Policy Pros
Last reviewed:
Incident Reporting and Escalation Policies for UK Organisations
Incident reporting and escalation policies outline how incidents of all types — from workplace injuries and near misses to data breaches and IT security events — are identified, reported, managed and escalated within an organisation. A structured approach ensures that incidents are handled consistently, accountability is clear and risks are addressed quickly. A robust policy also helps ensure compliance with the multiple legal and regulatory requirements that apply to incident management in the United Kingdom.
Types of Incidents Requiring Formal Reporting
UK law and regulatory frameworks require organisations to report a wide range of incidents. Understanding which incidents require formal reporting, and to which authority, is essential for compliance. The main categories are set out below.
Workplace Injuries and Dangerous Occurrences
Under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR), employers must report certain workplace incidents to the Health and Safety Executive (HSE). These include:
- Fatal accidents: Must be reported immediately by the quickest practicable means, followed by a written report within 10 days
- Specified injuries: Fractures (other than fingers, thumbs or toes), amputations, crush injuries, loss of consciousness caused by head injury or asphyxia, and injuries requiring hospital admission must be reported without delay
- Over-seven-day incapacitation: Where an employee is incapacitated for more than seven consecutive days (not counting the day of the accident), the incident must be reported within 15 days
- Non-fatal accidents to non-workers: Where a member of the public is taken to hospital as a result of an incident arising from work activity, this must be reported
- Occupational diseases: Certain diseases linked to workplace exposures (such as occupational asthma, carpal tunnel syndrome and hand-arm vibration syndrome) must be reported when confirmed by a medical practitioner
- Dangerous occurrences: Near misses that could have resulted in serious injury, such as the collapse of a scaffold, uncontrolled release of a substance or electrical incidents, must be reported
Failure to report under RIDDOR is a criminal offence and can result in prosecution by the HSE.
Data Breaches
Under Article 33 of the UK GDPR, organisations must notify the Information Commissioner's Office (ICO) of a personal data breach within 72 hours of becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of individuals. If the breach is likely to result in a high risk, the affected individuals must also be notified without undue delay under Article 34. A data breach can include unauthorised access to personal data, accidental loss or destruction of data, or disclosure of data to an unauthorised recipient. Organisations must maintain an internal breach register regardless of whether the breach is reportable to the ICO.
Near Misses
Whilst not all near misses are reportable under RIDDOR, recording and investigating near misses is considered best practice by the HSE and is essential for preventing future incidents. A near miss is any unplanned event that did not result in injury, illness or damage but had the potential to do so. Organisations should treat near miss reporting as a key element of their safety culture.
Safeguarding Incidents
Organisations working with children or vulnerable adults have specific reporting obligations. In healthcare and social care settings, the Care Quality Commission (CQC) requires providers to notify them of certain incidents under Regulation 18 of the Care Quality Commission (Registration) Regulations 2009. These include safeguarding concerns, serious injuries, abuse, deprivation of liberty and deaths. Education settings must follow statutory safeguarding guidance including Keeping Children Safe in Education.
IT Security Incidents
The Network and Information Systems Regulations 2018 (NIS Regulations) require operators of essential services (including energy, transport, health, water and digital infrastructure) to report significant IT security incidents to their designated competent authority. Relevant digital service providers must also comply. Incidents that affect the continuity of essential services must be reported, with the level of reporting determined by the severity and impact of the incident.
Financial Services Incidents
Firms regulated by the Financial Conduct Authority (FCA) must report material operational incidents, including cyber attacks and IT failures that affect service continuity, under Principle 11 (Relations with Regulators) and the FCA's operational resilience requirements. The Prudential Regulation Authority (PRA) has parallel requirements for firms it supervises.
Legal Notification Timeframes by Incident Type
Getting the timing right is critical. Below is a summary of key notification deadlines under UK law:
| Incident Type | Reporting Deadline | Report To | Regulation |
|---|---|---|---|
| Fatal workplace accident | Immediately (by quickest means) | HSE | RIDDOR 2013 |
| Specified injury | Without delay; written report within 10 days | HSE | RIDDOR 2013 |
| Over-7-day incapacitation | Within 15 days | HSE | RIDDOR 2013 |
| Personal data breach (risk to individuals) | Within 72 hours | ICO | UK GDPR, Article 33 |
| High-risk data breach (to individuals) | Without undue delay | Affected individuals | UK GDPR, Article 34 |
| CQC notifiable event | Without delay | CQC | CQC Regulation 18 |
| NIS significant incident | As soon as practicable (within 72 hours for initial report) | Competent authority | NIS Regulations 2018 |
| FCA material incident | Without delay | FCA | FCA Handbook, SUP 15.3 |
Missing any of these deadlines can result in regulatory enforcement action, fines, prosecution and significant reputational damage. Your incident reporting policy should include a quick-reference guide to these timeframes so that staff can act promptly.
Escalation Matrix Structure
An escalation matrix is a core component of any incident reporting policy. It defines who must be notified at each stage of an incident, based on the incident's severity, type and potential impact. A well-designed escalation matrix typically includes:
- Level 1 (Initial Report): The employee who identifies the incident reports it to their line manager and logs it in the incident register. For IT incidents, this may be the IT helpdesk.
- Level 2 (Departmental Response): The line manager or department head assesses the incident, determines whether it requires further escalation and initiates the appropriate response procedure.
- Level 3 (Senior Management): Incidents that are serious, widespread or have regulatory implications are escalated to senior management, the Data Protection Officer (for data breaches) or the Health and Safety Officer (for workplace injuries).
- Level 4 (Executive and External Reporting): Incidents that meet regulatory thresholds are escalated to the executive team and reported to the relevant external authority (HSE, ICO, CQC, FCA or competent authority under the NIS Regulations).
The escalation matrix should be documented, displayed in accessible locations and included in staff training. It should specify contact details, out-of-hours procedures and deputies for each role.
Internal Versus External Reporting
It is important that a policy distinguishes clearly between internal and external reporting obligations. Internal reporting is the process by which staff communicate incidents to their colleagues, managers and specialist officers within the organisation. It should be possible for any member of staff to report an incident, and organisations should foster a no-blame culture that encourages reporting. External reporting refers to the legal obligation to notify regulatory bodies, emergency services or other external parties. The decision to report externally should follow the escalation matrix and be made by an authorised person, typically a senior manager, DPO or compliance officer.
Incident Log for Audit Purposes
Maintaining a comprehensive incident log is essential for regulatory compliance, audit readiness and continuous improvement. The log should record:
- Date, time and location of the incident
- Description of the incident and individuals involved
- Category and severity classification
- Immediate actions taken
- Whether the incident was reported externally and, if so, to whom
- Investigation findings and root cause analysis
- Corrective and preventive actions implemented
- Sign-off by the responsible manager
- Date of review and closure
Under Article 33(5) of the UK GDPR, organisations must document all personal data breaches, including those that are not reported to the ICO. This documentation must enable the ICO to verify compliance. Similarly, RIDDOR requires employers to keep records of reportable incidents for at least three years. A centralised, secure incident log — whether digital or paper-based — fulfils these obligations and provides valuable data for trend analysis and risk management.
How Incident Reporting Policies Differ by Sector
Incident reporting requirements vary significantly depending on the sector in which your organisation operates. Healthcare providers regulated by the CQC must report a broader range of incidents, including safeguarding concerns and deaths, and must comply with the Duty of Candour under Regulation 20 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014. Financial services firms must report material operational incidents to the FCA and demonstrate compliance with operational resilience requirements. Operators of essential services under the NIS Regulations 2018 have additional reporting obligations for incidents that affect the continuity of those services. Education providers must follow safeguarding reporting procedures set out in statutory guidance. Construction and manufacturing businesses must pay particular attention to RIDDOR reporting given the higher risk of workplace injuries in those sectors.
Regardless of sector, all UK employers have a duty under the Health and Safety at Work Act 1974 to ensure, so far as is reasonably practicable, the health, safety and welfare of their employees. A well-drafted incident reporting and escalation policy is a fundamental part of meeting that duty.
For more information on data protection and GDPR policies or our IT security policies, please explore our services. Policy Pros can write, review or update your incident reporting and escalation policy to ensure it meets the specific regulatory requirements of your sector. Get in touch to discuss your needs.
