What should be reported?
Misuse of personal data and security incidents must be reported so that steps can be taken to rectify the problem and to ensure that the same problem does not occur again.
All breaches should be reported and triaged through Service Desk (firstname.lastname@example.org, Ext: 0207 895 4545, Int: 514 4545). Once this has been done staff should report the matter to their line manager.
If staff are unsure whether a particular activity amounts to a breach of an information governance or IT security policy, they should discuss their concerns with their line manager or the Information Governance team. The following list gives examples of breaches of this policy which should be reported:
- Sharing of passwords
- Unauthorised access to NHSCFA systems either by staff or a third party
- Unauthorised access to person-identifiable information where the member of staff does not require access or have a need to know
- Disclosure of person-identifiable information to a third party where there is no justification and you have concerns that it is not in accordance with data protection legislation and the NHS Code of Confidentiality
- Sending person-identifiable or confidential information in a way that breaches confidentiality
- Leaving person-identifiable or confidential information lying around in a public area
- Theft or loss of person-identifiable or confidential information
- Disposal of person-identifiable or confidential information in a way that breaches confidentiality i.e. disposing of person-identifiable information in an ordinary waste paper bin.
It is not possible to provide detailed guidance for every eventuality. Therefore, where further clarity is needed, the advice of a Senior Manager or the Information Governance team should be sought.
Reporting of Breaches
See the organisation’s Information Breach Reporting Policy.