Cookies on the Defra digital service manual

We use some essential cookies to make this service work.

We'd also like to use analytics cookies so we can understand how you use the service and make improvements.

View cookies
Skip to main content
Department for Environment, Food and Rural Affairs: AI digital toolkit
Deliver with AI

Report an AI incident

If you think Defra data may have been shared with an AI tool inappropriately, treat it as an incident and report it straight away.

Warning Report first, investigate after. Do not wait until you are sure.

You will not be penalised for reporting in good faith. The risk of not reporting is far greater than the risk of over-reporting.

What counts as an incident

Report it if you, or someone on your team, may have:

  • put OFFICIAL-SENSITIVE content into a public consumer AI tool
  • put any personal data into any AI tool
  • used an AI tool that had model training or chat history left switched on
  • given an AI tool access to files or systems holding Defra data without authorisation
  • shared AI-generated output that contained sensitive or incorrect information about real people or systems

If you are not sure whether something counts, report it anyway. Someone will help you work out whether it matters.

What to do

Follow these steps as soon as you realise an incident has happened, or might have happened.

  1. Stop using the AI tool immediately.
  2. Do not delete or change anything. The people handling the incident need to see clearly what happened.
  3. Tell your line manager and your team's information asset owner. Give a short description of what happened and what data was involved.
  4. Report it through Defra's security incident process so the information security team can assess it.

Your line manager and information asset owner will assess how serious it is and decide whether to escalate, including to Defra's information security team.

If the incident involved personal data

Personal data needs extra care. As well as the steps above, follow the guidance in Keeping data safe to remove the data and check nothing else is affected.

A personal data breach may need to be reported to the Information Commissioner's Office within 72 hours, so do not delay.

Prevent the next one

Most AI incidents come from a tool seeing data it should not.

Choosing a tool covers privacy settings and the everyday tools that have AI built in. Using data with AI sets out what you can put where.

Check both before you start.

Ask AICE about AI risk

Not sure whether something counts as an incident? Ask us. It is always better to check.