Back to Blog
Every incident report names or describes individuals. That is personal data under UK GDPR. Security companies are data controllers for the records their staff create — and the SIA still expects those records to be detailed enough to stand up in an investigation.
The answer is not to write less. It is to write lawfully.
Lawful Basis for Security Incident Records
Most security incident documentation relies on legitimate interests — protecting the venue, staff, and public, and establishing what happened for legal and regulatory purposes. Your privacy notice and contract with the client should say so clearly.
Data Minimisation in Practice
Record what is necessary for the purpose — not everything you happen to know about a person. A subject description for an ejection is necessary. Their employment history is not.
Original Note's AI Quality Check reviews structure and completeness; it does not add personal data you did not enter. PII sent for AI feedback is redacted in processing.
Retention and Deletion
Your retention period should match your contract and plan — Original Note applies plan-based retention automatically. When a cohort or contract ends, know what happens to the data and document it.
Subject Access Requests
If someone requests their data — including CCTV stills referenced in your report — you must respond within one month. A well-structured incident log with timestamps and camera references makes that response faster and more defensible.
Try Original Note free for 7 days. No credit card required.