Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue

Task details

Review cycle

Annually

PDF
nameIncident Response and Management 2024.pdf

View file
nameIncident Response and Management 2024.pdf

...

1. Introduction

The implementation of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 requires organisations to report certain types of incidents to NHS Digital, the Department of Health and Social Care (DHSC) and the Information Commissioners’ Office (ICO) (the supervisory authority).

...

See the below table for examples, not limited to these types of breaches:

Confidentiality 

Unauthorised or accidental disclosure of, or access to, personal information 

Data sent by email to incorrect recipient

Emails containing personal information sent to an incorrect recipient.

Not using BCC when sending email

Not using blind copy (bcc) in emails resulting in sharing of personal email address without consent.

Information sent by unsecure email

Personal or clinical information sent via unsecure email method, e.g. unencrypted.

Disclosure of access details

Sharing log-in details and passwords.

Unauthorised access or disclosure 

Disclosure of information to a third party who is not entitled to receive it.  Wilful unauthorised access to, or disclosure of personal information without consent.

Integrity

Unauthorised or accidental alteration of personal information

Accidental alteration of information

A record changed in error.

Malicious alteration of information 

To deliberately change / alter a record.

Security failure of IT systems / equipment

A cyber incident which changes the quality of information, e.g. accuracy, reliability.

Availability

Unauthorised or accidental loss of access to, or destruction of personal information 

Information uploaded or recorded to incorrect record

Leading to potential harm as information is not available in the right place at the right time.

Corruption or non-recoverable information loss

Avoidable or foreseeable corruption of information or an issue which otherwise prevents access which has quantifiable consequences for the affected individuals. e.g. 

  • Corruption of a file which renders the information inaccessible.

  • Inability to recover a file as its method or format of storage is obsolete.

  • Loss of a password, encryption key or the poor management of access controls leading to the information becoming inaccessible.

Loss or theft of device

Loss of information contained on portable devices which may include:

  • Laptops.

  • Mobile Phones.

  • USB memory sticks.

  • Servers.

  • Hard Drives.

Insecure disposal of electronic / IT equipment

The failure to dispose of hardware containing personal information using appropriate technical and organisational means, which may include:

  • Failure to securely wipe information prior to destruction.

  • Failure to securely destroy hardware to appropriate industry standards,

  • Resale of equipment containing retrievable personal information.

  • Third party contractor failure to meet requirements for the safe removal, destruction, sale, recycling of personal information.

4. Process for Reporting an Incident

...

Establish the Likelihood that an Adverse Effect has Occurred

No

Likelihood

Description

1

Not Occurred

There is absolute certainty that there can be no adverse effect.  This may involve a reputable audit trail or forensic evidence.

2

Not likely or any incident involving vulnerable groups even if no adverse effect occurred

In cases where there is no evidence that can prove that no adverse effect has occurred this must be selected.

3

Likely

It is likely that there will be an occurrence of an adverse effect arising from the breach.

4

Highly Likely

There is almost certainty at some point in the future an adverse effect will happen.

5

Occurred

There is a reported occurrence of an adverse effect arising from the breach.

Where the incident is assessed as (at least) likely that some harm has occurred and that the impact is (at least) minor, the incident is reportable and full details will be automatically emailed to the ICO and the NHS Digital Data Security Centre(DHSC). The DHSC will also be notified where it is (at least) likely that harm has occurred and the impact is (at least) serious. 

...

Grade the Potential Severity of the Adverse Effect on Individuals

No

Effect

Description

1

No Adverse Effect

There is absolute certainty that no adverse effect can arise from the breach.

2

Potentially some Minor Adverse effect or any Incident involving vulnerable groups even if no adverse effect occurred

A minor adverse effect must be selected where there is no absolute certainty.  A minor adverse effect may be the cancellation of a procedure but does not involve any additional suffering.  It may also include possible inconvenience to those who need the data to do their job.

3

Potentially some Adverse Effect

An adverse effect may be the release of confidential information into the public domain leading to embarrassment or it prevents someone from doing their job such as a cancelled procedure that has the potential of prolonging suffering but does not lead to a decline in health.

4

Potentially Pain and Suffering / Financial Loss

There has been reported suffering and decline in health arising from the breach or there has been some financial detriment occurred.  Loss of bank details leading to loss of funds.  There is a loss of employment.

5

Death / Catastrophic Event

A person dies or suffers a catastrophic occurrence.

Both the adverse effect and likelihood values form part of the breach assessment grid.

...

Reporting Schema for Data Breaches from May 2018 (new legislation introduced)

ID

Information Requested

1

Organisation Name

2

Organisation Code

3

Name of Person Submitting the Incident

4

Email Address of the Person Submitting the Incident

5

Sector

6

What has happened?

7

How did you find out?

8

Was the Incident caused by a problem with a network or an information system?

9

What is the Local Incident ID?

10

When did the Incident start?

11

Is the Incident still on-going?

12

Have Data Subject or Users been informed?

13

Is it likely that Citizens outside of England will be Affected?

14

Have you Notified any other (overseas) Authorities about this Incident?

15

Have you Informed the Police?

16

Have you Informed any other Regulatory Bodies about this Incident?

17

Has there been any Media coverage (that you are aware of) of the Incident?

18

What other actions have been taken or are planned?

19

How many Citizens are Affected?

20

Who is Affected?

21

What is the Likelihood that People’s rights have been affected?

22

What is the Severity of the Adverse Effect?

23

Has there been any potential Clinical Harm as a result of the Incident?

24

Has the Incident disrupted the delivery of Healthcare Services?

25

Which of these Services are operated by your Organisation?

4.4. Final Reporting, Lessons Learned and Closure of the incident

...

6. Examples of Notification (ref: NHS Digital Guide to the Notification of Data Security and Protection Incidents - September 2018)

Q. A loss of one patient’s scanned case notes which is likely to lead to problems in treating that patient.

A. Yes as it has caused harm to that individual from a problem in treatment that has arisen from the unavailability of the case notes.

Q. A cyber incident similar to the WannaCry incident of 2017, where there is a determination no data has been lost but encrypted and it affects clinical services.

A. Yes as it affects availability and has an ICO effect on individuals which is likely to result in a risk to individuals from cancelled appointments and operations which may prolong the pain and suffering of the patient. 

Q. 10 DNA profiles (biometric data) with names sent to the wrong email address.

A. Yes as it may cause harm to the individual unless it is a trusted source or encrypted. The biometric data is a special category of data under GDPR and the combination of a name makes it personal data.

Q. A log of IP addresses and user-names who have accessed a patient portal accidentally backed up to a cloud provider in Canada.

A. No. As the user name could be identifiable and IP addresses are classified as personal data it is a personal data breach. It may score as a non ICO notifiable personal data breach as there is a low risk to the rights and freedoms of individuals.

Q. A medical record of a safeguarded child in a mental health unit are sent to the wrong department of the same hospital trust. No serious adverse effect to the rights and freedoms of the child are reported and at no time has the medical record been unaccounted for or any non ‘trusted’ person had the opportunity to access the record.

A. No. Although there has been an error and the medical records have not been sent to the correct department this does not need reporting because the department is considered ‘trusted’. If the records were sent to another organisation that does not meet the definition of ‘trusted’ it would be notifiable. An investigation must still be performed, and measures introduced to prevent a further breach.

Q. A set of case notes found in a bin outside a supermarket.

A. Yes a data breach is still a breach irrespective of media. It is not restricted to digital information and continues to include paper-based records.

Q. A single ward handover sheet is found in the hospital car park identifying patients and conditions. It is found by a staff member and is classed as ‘trusted’ and the breach has been contained.

A. Yes as there is a potential breach of patient confidentiality that may have occurred during the time it has been left unattended it just may not be notifiable to the ICO. An organisation must investigate the breach and promote measures, so the breach does not occur again such as training for the team that has been responsible for the breach.

Q. A pathology system has gone down and test results are not available leading to a potential of cancelled operations. No reported harm has occurred yet.

A. Yes the significance of a loss of test results may cause harm to an individual through a cancelled operation. Even if none are reported the NIS threshold means that the pathology system is a key system for the NHS and is reportable. The notification tool will ask additional questions to determine that the pathology system is a critical system for NIS purposes.