Managing a cyber incident impacting children’s services

Use this module if your cyber incident involves activity such as safeguarding, child protection, managing risks to sensitive data, and engagement with external partners such as care providers, the DfE and Ofsted.

Children’s social care is critically dependent on digital systems – often many within the same council – to manage casework, monitor safeguarding and to provide information required by officers, regulators and government. In a serious cyber incident, these systems may be unavailable, sometimes immediately and for an extended period, while the cause and impact are identified. This can significantly disrupt service delivery and safeguarding activity.

After cause and impact are identified, the IT team would then focus on preventing further damage, recovering systems, restoring backups and managing access. During this time, access to systems may remain limited or unavailable. Where there are shared IT services and systems, either between departments or across councils, it may be necessary to prioritise access. This would mean one service is without system access for longer than others. Close co-ordination is therefore pivotal though response and recovery.

This can impact your ability to:

  • respond to safeguarding concerns in a timely way
  • maintain oversight of children and families
  • make timely payments to carers and providers
  • meet statutory reporting requirements.

Your key strategic actions

These are the critical actions to keep in focus throughout your response and recovery work. (Note: these are a strategic guide, not an exhaustive list of every action you should take.)

  • Do not expect a rapid recovery; plan for your systems to be impacted for weeks or months.
  • Department for Education (DfE) and/or Ofsted involvement will depend on your circumstances. Engage early with both agencies to determine the level of support or oversight required based on the scale of the incident.
  • Assess whether the incident impacts a single authority or multiple connected authorities and coordinate the response accordingly. Establish clear teams and coordination for the Children’s Services response and recovery.
  • Prioritise safeguarding processes with critical timings (e.g. MASH referrals, Section 47 enquiries, and court deadlines).
  • Plan for continuity of essential payments to foster carers, providers, and vulnerable families to prevent placement instability.
  • Clarify decision-making and governance for statutory overrides and manual sign-offs during disruption.
  • Ensure children’s social care is represented in Gold/Strategic and Silver/Tactical arrangements to weigh technical risk against safeguarding risk.
  • Identify where business continuity workarounds may introduce data or safeguarding risk (e.g. lack of access to historical case notes).
  • Maintain communication with schools, health partners, the police, and the judiciary.
  • Assume sensitive data has been stolen and start work to assess risks to children and families without delay.
  • Plan for the recovery of the whole digital architecture, including interconnected education and finance systems.
  • Ensure clear reconciliations between manual workaround records and restored systems to maintain a legally robust case history. 

Learning from previous incidents

Other councils who have experienced serious cyber incidents have found that:

  • Adopting a long-term recovery mindset is critical. Base your response on the potential for systems to be impacted for weeks or months, rather than expecting a rapid recovery.
  • Setting clear priorities as you implement your business continuity arrangements supports teams to their efforts focus while normal working is disrupted. Ensure this specifically considers the arrangements and working rhythms you will need to manage continuity arrangements for an extended length of time. Ensure that arrangements for data sharing in section 47 enquiries are prioritised for risk management.
  • Identifying services that rely on shared systems (e.g. Adults' social care), and establishing clear ownership and joint decision-making, helps manage competing priorities during response and recovery.
  • Partnership working is often affected, especially where usual data sharing and communication channels are disrupted.
  • Balancing IT and service expertise within response structures is essential, as decisions frequently require trade-offs between technical risks and safeguarding considerations.
  • assuming sensitive data may have been accessed or stolen enables earlier assessment of risks and faster implementation of mitigations, particularly for social care, health or education data.

Guidance across the different time stages

Key contacts

  • Up to date and accessible contact details for staff and partners.
  • Up to date and accessible contact details for vulnerable families.
  • Up to date and accessible contact details for schools.
  • Up to date and accessible contact details for key individuals from Ofsted, the DfE and the Ministry of Housing, Communities and Local Government (MHCLG).

Useful links and case studies

Building a cyber resilient service: A guide for directors of children’s services

Highlighted pages

Cyber incident grab bag for local authorities

A practical resource for responding to major cyber incidents.

Cyber incident grab bag: Service and situational guidance

Managing a cyber incident impacting adult social care services

Managing the finance impacts of a cyber incident