| Page Properties | ||||
|---|---|---|---|---|
| ||||
|
| Iframe | ||||||||
|---|---|---|---|---|---|---|---|---|
|
| View file | ||
|---|---|---|
|
...
1. Introduction
The implementation of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 requires organisations to report certain types of incidents to NHS Digital, the Department of Health and Social Care (DHSC) and the Information Commissioners’ Office (ICO) (the supervisory authority).
...
See the below table for examples, not limited to these types of breaches:
Confidentiality | Unauthorised or accidental disclosure of, or access to, personal information |
Data sent by email to incorrect recipient | Emails containing personal information sent to an incorrect recipient. |
Not using BCC when sending email | Not using blind copy (bcc) in emails resulting in sharing of personal email address without consent. |
Information sent by unsecure email | Personal or clinical information sent via unsecure email method, e.g. unencrypted. |
Disclosure of access details | Sharing log-in details and passwords. |
Unauthorised access or disclosure | Disclosure of information to a third party who is not entitled to receive it. Wilful unauthorised access to, or disclosure of personal information without consent. |
Integrity | Unauthorised or accidental alteration of personal information |
Accidental alteration of information | A record changed in error. |
Malicious alteration of information | To deliberately change / alter a record. |
Security failure of IT systems / equipment | A cyber incident which changes the quality of information, e.g. accuracy, reliability. |
Availability | Unauthorised or accidental loss of access to, or destruction of personal information |
Information uploaded or recorded to incorrect record | Leading to potential harm as information is not available in the right place at the right time. |
Corruption or non-recoverable information loss | Avoidable or foreseeable corruption of information or an issue which otherwise prevents access which has quantifiable consequences for the affected individuals. e.g.
|
Loss or theft of device | Loss of information contained on portable devices which may include:
|
Insecure disposal of electronic / IT equipment | The failure to dispose of hardware containing personal information using appropriate technical and organisational means, which may include:
|
4. Process for Reporting an Incident
...
Establish the Likelihood that an Adverse Effect has Occurred
No | Likelihood | Description |
1 | Not Occurred | There is absolute certainty that there can be no adverse effect. This may involve a reputable audit trail or forensic evidence. |
2 | Not likely or any incident involving vulnerable groups even if no adverse effect occurred | In cases where there is no evidence that can prove that no adverse effect has occurred this must be selected. |
3 | Likely | It is likely that there will be an occurrence of an adverse effect arising from the breach. |
4 | Highly Likely | There is almost certainty at some point in the future an adverse effect will happen. |
5 | Occurred | There is a reported occurrence of an adverse effect arising from the breach. |
Where the incident is assessed as (at least) likely that some harm has occurred and that the impact is (at least) minor, the incident is reportable and full details will be automatically emailed to the ICO and the NHS Digital Data Security Centre(DHSC). The DHSC will also be notified where it is (at least) likely that harm has occurred and the impact is (at least) serious.
...
Grade the Potential Severity of the Adverse Effect on Individuals
No | Effect | Description |
1 | No Adverse Effect | There is absolute certainty that no adverse effect can arise from the breach. |
2 | Potentially some Minor Adverse effect or any Incident involving vulnerable groups even if no adverse effect occurred | A minor adverse effect must be selected where there is no absolute certainty. A minor adverse effect may be the cancellation of a procedure but does not involve any additional suffering. It may also include possible inconvenience to those who need the data to do their job. |
3 | Potentially some Adverse Effect | An adverse effect may be the release of confidential information into the public domain leading to embarrassment or it prevents someone from doing their job such as a cancelled procedure that has the potential of prolonging suffering but does not lead to a decline in health. |
4 | Potentially Pain and Suffering / Financial Loss | There has been reported suffering and decline in health arising from the breach or there has been some financial detriment occurred. Loss of bank details leading to loss of funds. There is a loss of employment. |
5 | Death / Catastrophic Event | A person dies or suffers a catastrophic occurrence. |
Both the adverse effect and likelihood values form part of the breach assessment grid.
...
Where the incident is assessed that it is (at least) likely that some harm has occurred and that the impact is (at least) minor, the incident is reportable and full details will be automatically emailed to the ICO and the NHS Digital Data Security Centre. The DHSC will also be notified where it is (at least) likely that harm has occurred and the impact is at least serious.
Severity (Impact) | Catastrophic | 5 | 5 | 10 | 15 | 20 DHSC & ICO (24 hours) | 25 |
Serious | 4 | 4 | 8 | 12 | 16 | 20 | |
Adverse | 3 | 3 | 6 | 9 | 12 ICO | 15 | |
Minor | 2 | 2 | 4 | 6 | 8 | 10 | |
No Adverse Effect | 1 | 1 | 2 | 3 | 4 | 5 | |
1 | 2 | 3 | 4 | 5 | |||
Not Occurred | Not Likely | Likely | Highly Likely | Occurred |
Likelihood that individuals rights have been affected (harm) |
This operates on a 5 x 5 basis with anything other than “grey breaches” being reportable. Incidents where the grading results are in the red are advised to notify within 24 hours.
...
Reporting Schema for Data Breaches from May 2018 (new legislation introduced)
ID | Information Requested |
1 | Organisation Name |
2 | Organisation Code |
3 | Name of Person Submitting the Incident |
4 | Email Address of the Person Submitting the Incident |
5 | Sector |
6 | What has happened? |
7 | How did you find out? |
8 | Was the Incident caused by a problem with a network or an information system? |
9 | What is the Local Incident ID? |
10 | When did the Incident start? |
11 | Is the Incident still on-going? |
12 | Have Data Subject or Users been informed? |
13 | Is it likely that Citizens outside of England will be Affected? |
14 | Have you Notified any other (overseas) Authorities about this Incident? |
15 | Have you Informed the Police? |
16 | Have you Informed any other Regulatory Bodies about this Incident? |
17 | Has there been any Media coverage (that you are aware of) of the Incident? |
18 | What other actions have been taken or are planned? |
19 | How many Citizens are Affected? |
20 | Who is Affected? |
21 | What is the Likelihood that People’s rights have been affected? |
22 | What is the Severity of the Adverse Effect? |
23 | Has there been any potential Clinical Harm as a result of the Incident? |
24 | Has the Incident disrupted the delivery of Healthcare Services? |
25 | Which of these Services are operated by your Organisation? |
4.4. Final Reporting, Lessons Learned and Closure of the incident
...
Summary of Data Security and Protection Incidents reported to the ICO and/or DHSC
Month of Incident | Nature of Incident | Numbers Affected | Number of Patients Informed | Lessons Learned |
Statement of Internal Control (SIC) Guidance
...
6. Examples of Notification (ref: NHS Digital Guide to the Notification of Data Security and Protection Incidents - September 2018)
Q. A loss of one patient’s scanned case notes which is likely to lead to problems in treating that patient. A. Yes as it has caused harm to that individual from a problem in treatment that has arisen from the unavailability of the case notes. |
Q. A cyber incident similar to the WannaCry incident of 2017, where there is a determination no data has been lost but encrypted and it affects clinical services. A. Yes as it affects availability and has an ICO effect on individuals which is likely to result in a risk to individuals from cancelled appointments and operations which may prolong the pain and suffering of the patient. |
Q. 10 DNA profiles (biometric data) with names sent to the wrong email address. A. Yes as it may cause harm to the individual unless it is a trusted source or encrypted. The biometric data is a special category of data under GDPR and the combination of a name makes it personal data. |
Q. A log of IP addresses and user-names who have accessed a patient portal accidentally backed up to a cloud provider in Canada. A. No. As the user name could be identifiable and IP addresses are classified as personal data it is a personal data breach. It may score as a non ICO notifiable personal data breach as there is a low risk to the rights and freedoms of individuals. |
Q. A medical record of a safeguarded child in a mental health unit are sent to the wrong department of the same hospital trust. No serious adverse effect to the rights and freedoms of the child are reported and at no time has the medical record been unaccounted for or any non ‘trusted’ person had the opportunity to access the record. A. No. Although there has been an error and the medical records have not been sent to the correct department this does not need reporting because the department is considered ‘trusted’. If the records were sent to another organisation that does not meet the definition of ‘trusted’ it would be notifiable. An investigation must still be performed, and measures introduced to prevent a further breach. |
Q. A set of case notes found in a bin outside a supermarket. A. Yes a data breach is still a breach irrespective of media. It is not restricted to digital information and continues to include paper-based records. |
Q. A single ward handover sheet is found in the hospital car park identifying patients and conditions. It is found by a staff member and is classed as ‘trusted’ and the breach has been contained. A. Yes as there is a potential breach of patient confidentiality that may have occurred during the time it has been left unattended it just may not be notifiable to the ICO. An organisation must investigate the breach and promote measures, so the breach does not occur again such as training for the team that has been responsible for the breach. |
Q. A pathology system has gone down and test results are not available leading to a potential of cancelled operations. No reported harm has occurred yet. A. Yes the significance of a loss of test results may cause harm to an individual through a cancelled operation. Even if none are reported the NIS threshold means that the pathology system is a key system for the NHS and is reportable. The notification tool will ask additional questions to determine that the pathology system is a critical system for NIS purposes. |