Information Breach Reporting

Contents

• Introduction
• Purpose
• Objectives
• Scope
• Applicability
• Reporting an incident
• IT systems security incident
• Incident involving person-identifiable information
• Notifying data subjects
• Notifying stakeholders & interested parties
• Roles and responsibilities
• Validity of this policy

Appendices

• Appendix 1 - Data breach notification form
• Appendix 2 - Template letter

Introduction

The principles of the General Data Protection Regulation (GDPR) 2016 and the Data Protection Act (DPA) 2018 are based on ‘good information handling’. These give individuals specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

Organisations processing personal data must take appropriate measures against unauthorised or unlawful processing and against accidental disclosure, loss, destruction of or damage to personal data.

The NHS Counter Fraud Authority (NHSCFA) recognises the importance of promoting a culture in which data incidents and near misses are reported by all staff at the earliest opportunity; providing the organisation with an opportunity to investigate and address contributory factors to try and prevent reoccurrence.

Developing a culture where staff feel confident in reporting incidents, will help support the NHSCFA in becoming a learning organisation, ensuring that it is better equipped to learn lessons and safeguard against these occurring in the future.

Where incidents are not properly managed this can lead to a loss of public and stakeholder confidence in the organisation. Therefore, the Chief Executive and the Board aim to encourage an open and fair reporting culture within the organisation, where all staff can be confident that this approach will be adhered to at all times. All appropriate action will be considered where malicious, criminal, gross or repeated unprofessional misconduct give rise to a breach.

This policy is a constituent part of the NHSCFA’s Information Security Framework which sets out a framework of governance and accountability for information security management across the organisation.

Purpose

This policy provides a framework for reporting and managing:

• incidents affecting the security of NHSCFA information
• security incidents affecting NHSCFA IT systems
• losses of information; and
• near misses and information security concerns

Everyone has an important part to play in reporting and managing information security incidents, in order to mitigate their consequences and reduce the risk of future breaches of security.

Objectives

This policy aims to support the prompt and consistent management of information security incidents in order to minimise any harm to individuals or the organisation. It is therefore important that all users and managers of the organisation’s information and IT systems understand:

• their roles in reporting and managing suspected incidents
• the need to report actual or suspected information security incidents promptly following the process outlined below

The policy and its supporting procedures provide a clear and consistent methodology to help ensure that actual and suspected incidents and near misses are:

• reported promptly and escalated to those who can take timely and appropriate action
• recorded accurately and consistently to assist investigation and highlight any actions necessary to strengthen information security controls.

Scope

What is an information security incident?

An information security incident is any event that affects, or has the potential to affect the confidentiality, integrity or availability of the organisation’s information, in any format. Examples of security incidents can include but are not limited to:

• human error
• social engineering offences where information is disclosed/obtained by deception
• inappropriate, insufficient or misconfigured controls allowing unauthorised access
• suspected or actual breach of the NHSCFA Acceptable Use, IT Security, Communications and other relevant policies
• alteration or deletion without authorisation from the Information Asset Owner
• loss or theft of the information assets
• covert or unauthorised recording/copying and exfiltration
• system(s) failure - virus or other security cyber-attack on IT equipment systems/networks

Applicability

This policy applies to:

• All information created or received by the NHSCFA in any format, whether used in the workplace, authorised portable devices and media, transported from the workplace physically or electronically or accessed remotely.
• All staff, contractors or affiliates working for or on behalf of NHSCFA and any other persons permitted to have access to the organisation’s information systems.
• All IT systems and networks owned, operated and managed by NHSCFA or by contracted partners/outsourcers
• All locations from which NHSCFA information is accessed including home use.

Reporting an incident

Where an individual becomes aware of an incident they should where possible, take any immediate action. Where more than one member of staff is aware of an incident it should be agreed who will report it to avoid duplication. Thereafter the individual should inform their line manager.

All incidents must in the first instance be immediately reported to the NHSCFA Service Desk (servicedesk@nhscfa.gov.uk, Ext: 0207 895 4545, Int: 514 4545), providing as much relevant detail as possible.

NHSCFA Service Desk will then undertake an initial assessment of the report to determine the most appropriate path for investigation/resolution.

If the incident involves an NHSCFA IT system, then the process described in Section 7 will be followed. If there is no IT element, proceed to Section 8.

IT systems security incident

If a reported incident relates to an IT system, then the ISO 27001/27002 processes for reporting and managing a Security incident will be followed. These are held in the ISO 27001:2013 IT Security Management System database and are: P2 - Reporting Security Incidents, and P6 - Managing Security Incidents.

As part of the P6 process, the IT Security Manager (ITSM) or Information Security Lead (ISL) may, where appropriate involve other parties as part of the evaluation. An incident may be assigned to:

• NHSCFA IT Security Officer (ITSO) to resolve and complete a report (update incident record in Service Desk Tool); OR
• Escalate the incident to the Forensic Computing Unit Technical Lead to allow a forensic image to be completed before assigning to support personnel.

The ITSO resolves the incident and completes a report which is sent to the ITSM and ISL

Depending on the nature of the incident the ITSM/ISL may need to report it to one or more of the following organisations/individuals:

• Govcert U.K. - Information Security related incidents (incidents@govcert.gov.uk)
• Cinras - Crypto Comsec issues
• PSN Security Manager
• NHSCFA Information Governance Lead - where a serious untoward incident involves the loss or exposure of person-identifiable information.

Incident involving person-identifiable information

Where it is determined that an incident breach involves person-identifiable information, NHSCFA Service Desk, ISL and/or the ITSM will need to ensure together with the initial reporter of the incident, that the breach notification form (see Appendix 1) is completed and submitted as soon as practicable and in any event no later than 36 hours after the initial incident report is made. Thereafter if the individual has not already done so, they should inform their line manager.

Where the line manager is not the Information Asset Owner (IAO), it is the line manager’s responsibility to ensure the beach is immediately notified to the IAO.

Following completion of the incident form and depending on the nature of the breach, the form should be submitted immediately to the Information Governance Lead so that it can be recorded in the ‘breach log’ and any further action and/or submission to the ICO may be considered. Standalone breach notification forms can be located on Go2.

Notifying data subjects

Where it is considered that an information security incident is likely to result in high “risks to freedoms of the data subject”, such as identity theft or compromise of their financial status, the affected data subjects will need to be notified.

The responsibility for notifying individuals that have been subject to a personal data breach, rests with the responsible IAO and/or the Unit Manager. Once the affected individual(s) has been notified, the Unit Manager must provide written confirmation to the Information Governance Lead outlining the action taken and the date to complete the process.

There are different ways in which those affected can be notified, having regard to the security of the medium as well as the urgency of the situation. Suggested wording is provided at Appendix 2

Where the following conditions apply the data controller is not required to notify individuals in the event of a breach:

• The controller has applied appropriate technical and organisational measures to protect personal data prior to the breach, in particular those measures that render personal data unintelligible to any person who is not authorised to access it (such as encryption)
• Immediately following a breach, the controller has taken steps to ensure that the high risk posed to individuals’ rights and freedoms is no longer likely to materialise; e.g. the controller may have immediately identified and taken action against the individual who as accessed personal data before they were able to do anything with it.

Due regard will still need to be given to the possible consequences of any breach of confidentiality, depending on the nature of the data concerned.

• It would involve disproportionate effort to contact individuals; e.g. where their contact details have been lost as a result of the breach or are not known in the first place. Instead, the controller must make a public communication or take some other similar measure, whereby the individuals are informed in an equally effective manner. In the case of disproportionate effort, technical arrangements could also be envisaged to make information about the breach available on demand which could prove useful to those individuals who may be affected by a breach, but the controller cannot otherwise contact.

Notifying stakeholders and interested parties

It is important to effectively engage with those directly affected by or who have a wider interest in the management of the data breach. The organisation will also need to mitigate any reputational impact and the affects that it may have on stakeholder confidence.

Therefore any Manager/Unit Lead who identifies an incident where there is potential for media interest, must inform the communications team immediately. The communications team together with the relevant Unit Lead and IAO will need to formulate an effective engagement plan at the earliest opportunity to inform among others:

• Other relevant data controllers
• Department Health and Social Care Anti-Fraud Unit
• Law enforcement (if applicable)

This is not an exhaustive list.

Roles and responsibilities

The Board

The Board are responsible for ensuring that NHSCFA’s culture is one that is conducive and supportive of staff reporting a data breach incident, so that such incidents can be reduced in the future, lessons learned and effective practice reinforced.

Chief Executive

The Chief Executive is ultimately accountable for ensuring that the organisation has in place a robust data incident management framework, ensuring that:

• the incident reporting culture is consistent
• staff are encouraged to report incidents
• lessons learned are shared across the organisation as appropriate

The Board Secretary

The Board Secretary has delegated authority to ensure that NHSCFA has in place a robust and effective incident management framework, including but not limited to:

• the management and accountability structures
• governance processes (reporting routes)
• documented policies, procedures and guidance
• appropriate training as required
• the availability of adequate resources

Information Governance Lead

The Information Governance Lead is responsible for ensuring that all information security incidents are recorded and reported as appropriate. Where an information security breach incident is likely to result in risks to the freedoms of the data subject(s), the Information Governance Lead will be responsible for reporting such incidents to the Information Commissioners Office within the specified regulatory time frame.

Unit Leads

Unit Leads (together with the IAO) should ensure that immediate action is taken to make sure the incident is contained, rectified and/or mitigated as appropriate. Where an information security incident necessitates immediate reporting to the Information Governance Lead, it is the Unit Lead’s responsibility to ensure the breach notification form is submitted within the specified time period stated above.

All staff

All staff who have access to the organisation’s information, IT and communications facilities are responsible for reporting any actual or potential breach of information security incidents promptly in line with this policy.

Validity of this policy

This policy will be reviewed at least biennially or sooner, should the need arise under the authority of the NHSCFA Board members.