Manchester Council Cyber Incident Reporting Guide

Technology and Data England 3 Minutes Read · published February 11, 2026 Flag of England

Introduction

In Manchester, England, public-sector cyber incidents that affect council services must be reported promptly to reduce harm to residents and services. This guide explains who to notify, relevant legal duties for data breaches, local reporting channels, and practical steps council staff and contractors should follow when an incident affects Manchester City Council systems or services.

When to Report

Report any incident that affects availability, confidentiality, or integrity of council services or personal data, including ransomware, unauthorised access, distributed denial of service (DDoS), or data export. Notify your IT incident response team immediately, preserve logs and system images, and avoid changes that would destroy forensic evidence.

Report quickly to limit service disruption and legal exposure.

Penalties & Enforcement

There is no separate Manchester bylaw that prescribes criminal fines specifically for cyberattacks on council IT; enforcement and penalties for personal data breaches or regulatory non-compliance are handled at the national level and by criminal investigators where relevant.

The Information Commissioner’s Office (ICO) can impose statutory sanctions for breaches of data protection law, including monetary penalties. The ICO states penalties can reach "up to A317.5 million or 4% of annual global turnover" for the most serious infringements; for specific incidents see the ICO guidance on reporting breaches [1].

  • Enforcers: ICO for data protection matters and the police (including the National Crime Agency) for cybercrime investigations.
  • Fines: As above for ICO; local council disciplinary or contractual penalties for staff or suppliers are not specified on the cited council pages.
  • Court actions: Criminal prosecution or civil claims may follow depending on the incidents nature and impact.
  • Inspection and complaints: Report incidents internally to the councils IT/security team; external reports go to ICO or police as appropriate.
  • Appeals and reviews: Decisions by the ICO are subject to judicial review; time limits for appeals are set out by the ICO and court rules and are not specified on the cited page for each case.
If personal data is involved, the ICO must be notified where required without undue delay.

Applications & Forms

There is no special municipal permit or local form to report a cyber incident. Internal reporting uses the councils incident response procedures; external statutory reporting of personal data breaches follows ICO processes and templates, described on the ICO site [1]. Criminal reports follow police reporting routes and Action Fraud guidance [3].

Action Steps for Council Staff and Contractors

  • Immediate containment: Disconnect affected systems from the network where safe and preserve forensic evidence.
  • Notify internal IT/security incident response team and line manager.
  • Record: capture logs, timestamps, and a list of affected services and data types.
  • Report externally as required: ICO for personal data breaches [1], NCSC for technical guidance and incident coordination [2], and Action Fraud for cybercrime reporting [3].

Reporting Channels and Contacts

Primary external channels commonly used by public bodies in England are the ICO for data protection matters, the National Cyber Security Centre (NCSC) for national incident coordination and guidance, and Action Fraud for reporting criminal cyber incidents. Use internal council channels first so the council can coordinate investigation and public messaging.

Always follow your councils incident response plan before public disclosure.

FAQ

Who should I contact first inside the council?
Contact your local IT or security incident response team immediately and follow internal reporting procedures; if unsure, contact your manager or the councils data protection contact.
When must the ICO be informed?
The ICO must be notified of a personal data breach where it is likely to result in a risk to peoples rights and freedoms; see ICO guidance for timing and content requirements [1].
Should I report to the police?
Yes for criminal incidents such as ransomware with extortion, unauthorised access, or significant fraud; Action Fraud provides the reporting route for many cybercrimes [3].

How-To

  1. Identify: confirm systems and data affected and initial scope.
  2. Contain: isolate affected endpoints and preserve evidence.
  3. Notify internal incident response team and follow documented escalation steps.
  4. Report externally as required: ICO for personal data breaches [1], NCSC for technical coordination [2], and Action Fraud for criminal reports [3].
  5. Recover: follow restoration plans and communicate to affected users and stakeholders.

Key Takeaways

  • Report quickly to limit harm and meet legal duties.
  • Use internal channels first so the council can coordinate response and external notifications.

Help and Support / Resources

  1. [1] ICO - Report a personal data breach or data security incident
  2. [2] NCSC - Incident management guidance
  3. [3] Action Fraud - Report fraud and cyber crime

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data