Information Breach Reporting
This is the formal policy governing information breach reporting
Published: 28/07/2022
Version: 5.0
Published: 28/07/2022
Version: 5.0
The principles of the General Data Protection Regulation (GDPR) 2016 and the Data Protection Act (DPA) 2018 are based on ‘good information handling’. These give individuals specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.
Organisations processing personal data must take appropriate measures against unauthorised or unlawful processing and against accidental disclosure, loss, destruction of or damage to personal data.
The NHS Counter Fraud Authority (NHSCFA) recognises the importance of promoting a culture in which data incidents and near misses are reported by all staff at the earliest opportunity; providing the organisation with an opportunity to investigate and address contributory factors to try and prevent reoccurrence.
Developing a culture where staff feel confident in reporting incidents, will help support the NHSCFA in becoming a learning organisation, ensuring that it is better equipped to learn lessons and safeguard against these occurring in the future.
Where incidents are not properly managed this can lead to a loss of public and stakeholder confidence in the organisation. Therefore, the Chief Executive and the Board aim to encourage an open and fair reporting culture within the organisation, where all staff can be confident that this approach will be adhered to at all times. All appropriate action will be considered where malicious, criminal, gross or repeated unprofessional misconduct give rise to a breach.
This policy is a constituent part of the NHSCFA’s Information Security Framework which sets out a framework of governance and accountability for information security management across the organisation.
This policy provides a framework for reporting and managing:
Everyone has an important part to play in reporting and managing information security incidents, in order to mitigate their consequences and reduce the risk of future breaches of security.
This policy aims to support the prompt and consistent management of information security incidents in order to minimise any harm to individuals or the organisation. It is therefore important that all users and managers of the organisation’s information and IT systems understand:
The policy and its supporting procedures provide a clear and consistent methodology to help ensure that actual and suspected incidents and near misses are:
What is an information security incident?
An information security incident is any event that affects, or has the potential to affect the confidentiality, integrity or availability of the organisation’s information, in any format. Examples of security incidents can include but are not limited to:
This policy applies to:
Where an individual becomes aware of an incident they should where possible, take any immediate action. Where more than one member of staff is aware of an incident it should be agreed who will report it to avoid duplication. Thereafter the individual should inform their line manager.
All incidents must in the first instance be immediately reported to the NHSCFA Service Desk (servicedesk@nhscfa.gov.uk, Ext: 0207 895 4545, Int: 514 4545), providing as much relevant detail as possible.
NHSCFA Service Desk will then undertake an initial assessment of the report to determine the most appropriate path for investigation/resolution.
If the incident involves an NHSCFA IT system, then the process described in Section 7 will be followed. If there is no IT element, proceed to Section 8.
If a reported incident relates to an IT system, then the ISO 27001/27002 processes for reporting and managing a Security incident will be followed. These are held in the ISO 27001:2013 IT Security Management System database and are: P2 - Reporting Security Incidents, and P6 - Managing Security Incidents.
As part of the P6 process, the IT Security Manager (ITSM) or Information Security Lead (ISL) may, where appropriate involve other parties as part of the evaluation. An incident may be assigned to:
The ITSO resolves the incident and completes a report which is sent to the ITSM and ISL
Depending on the nature of the incident the ITSM/ISL may need to report it to one or more of the following organisations/individuals:
Where it is determined that an incident breach involves person-identifiable information, NHSCFA Service Desk, ISL and/or the ITSM will need to ensure together with the initial reporter of the incident, that the breach notification form (see Appendix 1) is completed and submitted as soon as practicable and in any event no later than 36 hours after the initial incident report is made. Thereafter if the individual has not already done so, they should inform their line manager.
Where the line manager is not the Information Asset Owner (IAO), it is the line manager’s responsibility to ensure the beach is immediately notified to the IAO.
Following completion of the incident form and depending on the nature of the breach, the form should be submitted immediately to the Information Governance Lead so that it can be recorded in the ‘breach log’ and any further action and/or submission to the ICO may be considered. Standalone breach notification forms can be located on Go2.
Where it is considered that an information security incident is likely to result in high “risks to freedoms of the data subject”, such as identity theft or compromise of their financial status, the affected data subjects will need to be notified.
The responsibility for notifying individuals that have been subject to a personal data breach, rests with the responsible IAO and/or the Unit Manager. Once the affected individual(s) has been notified, the Unit Manager must provide written confirmation to the Information Governance Lead outlining the action taken and the date to complete the process.
There are different ways in which those affected can be notified, having regard to the security of the medium as well as the urgency of the situation. Suggested wording is provided at Appendix 2
Where the following conditions apply the data controller is not required to notify individuals in the event of a breach:
Due regard will still need to be given to the possible consequences of any breach of confidentiality, depending on the nature of the data concerned.
It is important to effectively engage with those directly affected by or who have a wider interest in the management of the data breach. The organisation will also need to mitigate any reputational impact and the affects that it may have on stakeholder confidence.
Therefore any Manager/Unit Lead who identifies an incident where there is potential for media interest, must inform the communications team immediately. The communications team together with the relevant Unit Lead and IAO will need to formulate an effective engagement plan at the earliest opportunity to inform among others:
This is not an exhaustive list.
The Board are responsible for ensuring that NHSCFA’s culture is one that is conducive and supportive of staff reporting a data breach incident, so that such incidents can be reduced in the future, lessons learned and effective practice reinforced.
The Chief Executive is ultimately accountable for ensuring that the organisation has in place a robust data incident management framework, ensuring that:
The Board Secretary has delegated authority to ensure that NHSCFA has in place a robust and effective incident management framework, including but not limited to:
The Information Governance Lead is responsible for ensuring that all information security incidents are recorded and reported as appropriate. Where an information security breach incident is likely to result in risks to the freedoms of the data subject(s), the Information Governance Lead will be responsible for reporting such incidents to the Information Commissioners Office within the specified regulatory time frame.
Unit Leads (together with the IAO) should ensure that immediate action is taken to make sure the incident is contained, rectified and/or mitigated as appropriate. Where an information security incident necessitates immediate reporting to the Information Governance Lead, it is the Unit Lead’s responsibility to ensure the breach notification form is submitted within the specified time period stated above.
All staff who have access to the organisation’s information, IT and communications facilities are responsible for reporting any actual or potential breach of information security incidents promptly in line with this policy.
This policy will be reviewed at least biennially or sooner, should the need arise under the authority of the NHSCFA Board members.
Was this page helpful?
Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.