Reporting a new privacy incident or breach — incident type and governing authority, discovery, cause, linked subject, and affected scope

Last updated: July 12, 2026 by Steve

Creating Incidents

Reporting an incident is intentionally low-friction so front-line staff can log a privacy breach or security incident quickly, then refine it later. You need the incident-report permission. From the Incidents dashboard, choose Report incident to open the dialog. Nothing you enter here is final — every field can be edited in the incident detail panel after the record is created.

Reporting an Incident

  1. Pick an Incident type if more than one is configured. The type carries a governing authority — the Act or regulation that applies — shown as a read-only field. If the chosen type has no governing authority mapped, a warning appears and you cannot submit; an administrator must map the type to a legal authority first.
  2. Enter a Title (required) and an optional Description.
  3. Set Discovered on. It defaults to today and cannot be a future date.
  4. Optionally choose a Cause type from the configured taxonomy, and add a free-text Cause / circumstances narrative describing what happened.
  5. Optionally link a Privacy subject (the reusable record or system the incident concerns), enter the number of affected individuals, and select the categories of personal information involved.
  6. Select Report incident to save.

The incident is created in the first lifecycle stage (Active) and opens in the detail panel, where the deeper work is done.

Report incident dialog (screenshot placeholder — capture: the Report incident dialog with the incident type, read-only governing authority, title, discovered-on date, cause type, and linked privacy subject fields)

The Governing Authority Requirement

Every incident must be anchored to a legal authority so that its statutory notification obligations can be calculated later. The governing authority comes from the incident type, not from a field you fill in. If you pick a type that an administrator has not mapped to a legal authority, the dialog blocks submission and shows a warning. Choose a different type, or ask an administrator to map the type before reporting.

Linking a Subject from the Directory

When you start from a subject's Incident history tab and choose Create incident, the report dialog opens with that privacy subject already linked to the new incident.