Incident types — categories for privacy incidents, each carrying a governing legal authority

Last updated: July 12, 2026 by Steve

Incident Types

Incident types are the categories a privacy incident or breach can be filed under. Each type carries a governing legal authority — the Act or regulation that applies — and that authority is required before an incident of that type can be reported, because it is what drives the notification-obligations calculator later in the record.

Incident Types (screenshot placeholder — capture: the Incident types list with a type selected and its governing legal authority)

Where to Find It

Open Settings from the app toolbar and choose Incident types in the Privacy configuration group. This group is visible only to users who hold the relevant privacy configure permission.

Options and Fields

Field What it controls
Name and description The type's label, translatable across your active languages.
Governing legal authority The legal authority (Act or regulation) that governs incidents of this type. Required — an incident of this type cannot be reported until the type is mapped to one.

How It Affects Incidents

  • On the Report incident dialog, staff pick a type when more than one is configured; the type's governing authority then shows as a read-only field.
  • If the chosen type has no governing authority, a warning appears and the incident cannot be submitted until an administrator maps the type to a legal authority.
  • The governing authority feeds the Notifications tab: the obligations calculator produces its statutory notices from the incident's legal authority, and voluntary notification types are scoped to that same authority.

Best Practice

Map every incident type to a legal authority before staff start reporting. An unmapped type blocks reporting outright, and the mapping is what lets the notification calculator tell your office who must be told and by when.