Policy Pros
Written by Policy Pros, UK Policy Writing SpecialistsLast reviewed Published

Serious Incident Policy Writers

Serious incident policies set out how a business will respond to major events that could impact staff, operations, reputation, or legal compliance.

These HR policies ensure incidents are handled quickly, consistently and transparently, helping to minimise harm and support recovery.

What Do Serious Incident Policies Cover?

A serious incident policy typically includes:

  • What qualifies as a serious incident (e.g. injury, misconduct, data breach)

  • Roles and responsibilities during an incident

  • Immediate reporting and escalation procedures

  • Communication protocols with staff and external bodies

  • Investigation and evidence-gathering processes

  • Support for those affected

  • Follow-up actions, reporting and reviews

Employers must be able to demonstrate they acted reasonably and responsibly, especially where health and safety, safeguarding, or regulatory breaches are involved.

A clear policy helps ensure that serious matters are not mishandled or overlooked, while also showing staff and regulators that the business takes its responsibilities seriously.

Legal Basis and Reporting Duties

Several statutes converge on serious incident handling.

RIDDOR 2013 (the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations) requires employers to report deaths, specified injuries, dangerous occurrences and certain occupational diseases to the HSE, typically within 10 days.

UK GDPR Articles 33 and 34 require notifiable personal-data breaches to be reported to the ICO within 72 hours of awareness, and to affected individuals where there is a high risk to their rights.

The Health and Safety at Work etc. Act 1974, the Corporate Manslaughter and Corporate Homicide Act 2007, the Care Act 2014 (safeguarding adults), the Children Act 1989 and 2004 (safeguarding children), the Public Interest Disclosure Act 1998 (whistleblowing) and the Bribery Act 2010 each create their own incident-reporting obligations.

A serious-incident policy must coordinate these strands so the right report goes to the right regulator inside the right window.

Common Compliance Pitfalls

  • No clearly named incident lead. Decisions about external notification cannot wait for a meeting; the policy must name a primary and deputy decision-maker.
  • The "72-hour clock" misunderstood. The UK GDPR clock starts when the organisation becomes aware of the breach, not when it has finished investigating. Most ICO enforcement notices reference late reporting, not the breach itself.
  • Investigation that contaminates the evidence. Untrained managers gathering statements before HR or legal involvement frequently undermine later disciplinary or regulatory action.
  • No press-line or holding statement. Reputational damage in the first 24 hours is rarely about the incident itself, it is about silence or contradictory statements.
  • No post-incident review. RIDDOR-reportable events, ICO breaches and safeguarding cases all require documented lessons-learned. Their absence is the single most common audit finding.

Sector-Specific Considerations

Healthcare and social care: CQC requires notification of certain incidents under the Care Quality Commission (Registration) Regulations 2009. The Patient Safety Incident Response Framework (PSIRF) replaced the Serious Incident Framework in NHS settings from 2022.

Financial services: The FCA's SUP 15 rules require firms to notify the regulator of significant operational and conduct incidents. The PRA expects equivalent reporting from dual-regulated firms.

Education: Serious safeguarding incidents must be reported to the Local Authority Designated Officer (LADO) and, in regulated cases, to the DBS and Ofsted.

Critical national infrastructure: Operators of essential services and digital infrastructure have specific notification duties under the NIS Regulations 2018 and the forthcoming Cyber Security and Resilience Bill.

What Policy Pros Delivers

Our Serious Incident Policy package includes the main policy document, an incident classification matrix mapped to RIDDOR, UK GDPR and sector-specific reporting thresholds, an immediate-response checklist, a holding statement template, an investigation procedure, a lessons-learned report template and a regulator notification log.

Where the client is regulated, we align the framework to the applicable regulator regime.

Get a QuoteView All Policy Services
Trustpilot Reviews - 5 Stars