Page Properties | ||||
---|---|---|---|---|
| ||||
|
...
Iframe |
---|
...
|
View file | ||
---|---|---|
|
...
See the below table for examples, not limited to these types of breaches:
Confidentiality | Unauthorised or accidental disclosure of, or access to, personal information |
Data sent by email to incorrect recipient | Emails containing personal information sent to an incorrect recipient. |
Not using BCC when sending email | Not using blind copy (bcc) in emails resulting in sharing of personal email address without consent. |
Information sent by unsecure email | Personal or clinical information sent via unsecure email method, e.g. unencrypted. |
Disclosure of access details | Sharing log-in details and passwords. |
Unauthorised access or disclosure | Disclosure of information to a third party who is not entitled to receive it. Wilful unauthorised access to, or disclosure of personal information without consent. |
Integrity | Unauthorised or accidental alteration of personal information |
Accidental alteration of information | A record changed in error. |
Malicious alteration of information | To deliberately change / alter a record. |
Security failure of IT systems / equipment | A cyber incident which changes the quality of information, e.g. accuracy, reliability. |
Availability | Unauthorised or accidental loss of access to, or destruction of personal information |
Information uploaded or recorded to incorrect record | Leading to potential harm as information is not available in the right place at the right time. |
Corruption or non-recoverable information loss | Avoidable or foreseeable corruption of information or an issue which otherwise prevents access which has quantifiable consequences for the affected individuals. e.g.
|
Loss or theft of device | Loss of information contained on portable devices which may include:
|
Insecure disposal of electronic / IT equipment | The failure to dispose of hardware containing personal information using appropriate technical and organisational means, which may include:
|
4. Process for Reporting an Incident
...
Establish the Likelihood that an Adverse Effect has Occurred
No | Likelihood | Description |
1 | Not Occurred | There is absolute certainty that there can be no adverse effect. This may involve a reputable audit trail or forensic evidence. |
2 | Not likely or any incident involving vulnerable groups even if no adverse effect occurred | In cases where there is no evidence that can prove that no adverse effect has occurred this must be selected. |
3 | Likely | It is likely that there will be an occurrence of an adverse effect arising from the breach. |
4 | Highly Likely | There is almost certainty at some point in the future an adverse effect will happen. |
5 | Occurred | There is a reported occurrence of an adverse effect arising from the breach. |
Where the incident is assessed as (at least) likely that some harm has occurred and that the impact is (at least) minor, the incident is reportable and full details will be automatically emailed to the ICO and the NHS Digital Data Security Centre(DHSC). The DHSC will also be notified where it is (at least) likely that harm has occurred and the impact is (at least) serious.
...
Grade the Potential Severity of the Adverse Effect on Individuals
No | Effect | Description |
1 | No Adverse Effect | There is absolute certainty that no adverse effect can arise from the breach. |
2 | Potentially some Minor Adverse effect or any Incident involving vulnerable groups even if no adverse effect occurred | A minor adverse effect must be selected where there is no absolute certainty. A minor adverse effect may be the cancellation of a procedure but does not involve any additional suffering. It may also include possible inconvenience to those who need the data to do their job. |
3 | Potentially some Adverse Effect | An adverse effect may be the release of confidential information into the public domain leading to embarrassment or it prevents someone from doing their job such as a cancelled procedure that has the potential of prolonging suffering but does not lead to a decline in health. |
4 | Potentially Pain and Suffering / Financial Loss | There has been reported suffering and decline in health arising from the breach or there has been some financial detriment occurred. Loss of bank details leading to loss of funds. There is a loss of employment. |
5 | Death / Catastrophic Event | A person dies or suffers a catastrophic occurrence. |
Both the adverse effect and likelihood values form part of the breach assessment grid.
...
Where the incident is assessed that it is (at least) likely that some harm has occurred and that the impact is (at least) minor, the incident is reportable and full details will be automatically emailed to the ICO and the NHS Digital Data Security Centre. The DHSC will also be notified where it is (at least) likely that harm has occurred and the impact is at least serious.
Severity (Impact) | Catastrophic | 5 | 5 | 10 | 15 | 20 DHSC & ICO (24 hours) | 25 |
Serious | 4 | 4 | 8 | 12 | 16 | 20 | |
Adverse | 3 | 3 | 6 | 9 | 12 ICO | 15 | |
Minor | 2 | 2 | 4 | 6 | 8 | 10 | |
No Adverse Effect | 1 | 1 | 2 | 3 | 4 | 5 | |
1 | 2 | 3 | 4 | 5 | |||
Not Occurred | Not Likely | Likely | Highly Likely | Occurred |
Likelihood that individuals rights have been affected (harm) |
This operates on a 5 x 5 basis with anything other than “grey breaches” being reportable. Incidents where the grading results are in the red are advised to notify within 24 hours.
...
Reporting Schema for Data Breaches from May 2018 (new legislation introduced)
ID | Information Requested |
1 | Organisation Name |
2 | Organisation Code |
3 | Name of Person Submitting the Incident |
4 | Email Address of the Person Submitting the Incident |
5 | Sector |
6 | What has happened? |
7 | How did you find out? |
8 | Was the Incident caused by a problem with a network or an information system? |
9 | What is the Local Incident ID? |
10 | When did the Incident start? |
11 | Is the Incident still on-going? |
12 | Have Data Subject or Users been informed? |
13 | Is it likely that Citizens outside of England will be Affected? |
14 | Have you Notified any other (overseas) Authorities about this Incident? |
15 | Have you Informed the Police? |
16 | Have you Informed any other Regulatory Bodies about this Incident? |
17 | Has there been any Media coverage (that you are aware of) of the Incident? |
18 | What other actions have been taken or are planned? |
19 | How many Citizens are Affected? |
20 | Who is Affected? |
21 | What is the Likelihood that People’s rights have been affected? |
22 | What is the Severity of the Adverse Effect? |
23 | Has there been any potential Clinical Harm as a result of the Incident? |
24 | Has the Incident disrupted the delivery of Healthcare Services? |
25 | Which of these Services are operated by your Organisation? |
4.4. Final Reporting, Lessons Learned and Closure of the incident
...
Summary of Data Security and Protection Incidents reported to the ICO and/or DHSC
Month of Incident | Nature of Incident | Numbers Affected | Number of Patients Informed | Lessons Learned |
Statement of Internal Control (SIC) Guidance
...