The Mortimer Medical Practice

Data Protection

&

Information Governance Breach Reporting Policy

Table of contents

1     Introduction   2

1.1       Policy statement 2

1.2       Status  3

2     Managing incidents  3

2.1       Overview   3

2.2       Defence union indemnity cover 3

2.3       UK GDPR reporting requirements  3

2.4       Breach of patient confidentiality  4

2.5       Incorrect disposal of confidential material 4

2.6       Computer misuse by an authorised user 5

2.7       Theft or access by an unauthorised person  5

2.8       Lost or misfiled paper medical records  6

3     Reporting incidents and processes  7

3.1       Internal process  7

3.2       External process  7

3.3       Lessons learned  7

3.4       When do individuals have to be notified?  8

Annex A – Breach reporting form    9

Annex B – Information governance incident register  12

1       Introduction

1.1      Policy statement

This document sets out how this organisation will investigate and manage information incidents and provide staff with guidelines to identify and report information incidents including near misses and it should be read in conjunction with the Data Protection Act 2018 and UK GDPR as Chapter 4 details the requirements for breach reporting.

The procedures apply to incidents that impact on the security and confidentiality of personal information. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than simply losing personal data.

Information incidents can be categorised by their effect on patients and their information:

Type of breach	Examples
Confidentiality	Unauthorised access, data loss or theft causing an actual or potential breach of confidentiality
Integrity	Records have been altered without authorisation and are therefore no longer a reliable source of information
Availability	Records are missing, mis-filed or have been stolen, compromising or delaying patient care.

Staff at this organisation have a duty to comply with the following legislation and guidance that give the circumstances under which confidential information can be disclosed:

• The Computer Misuse Act (1990)
• Health and Safety at Work Act (1974)
• Human Rights Act (1998)
• Regulation of Investigatory Powers Act (2000)
• Freedom of Information Act (2000)
• Health and Social Care Act (2008)
• The Caldicott Principles
• Confidentiality: NHS Code of Practice
• NHS E Guide to the Notification of Data Security and Protection Incidents
• NHS E Personal data breaches and related incidents

Further reading can be sought from the organisation’s:

• Data Protection and Security Toolkit (DSPT) Handbook
• Data Quality Policy
• Confidentiality and Data Protection Handbook
• Business Continuity Plan
• Information Governance Training Guidance

All staff are to undertake information governance (IG) and UK GDPR eLearning during induction and subsequent annual update training.

• Caldicott and Confidentiality
• GDPR – The Perfect Practice
• Information Governance and Data Security
• UK General Data Protection Regulation (UK GDPR)

1.2      Status

In accordance with the Equality Act 2010, we have considered how provisions within this policy might impact on different groups and individuals. This document and any procedures contained within it are non-contractual, which means they may be modified or withdrawn at any time. They apply to all employees and contractors working for the organisation.

2       Managing incidents

2.1      Overview

The IG Lead and Senior Information Risk Owner (SIRO), in conjunction with the Data Protection Officer (DPO), will assess and manage all IG and data protection breaches. Any actual or potential information incident in The Mortimer Medical Practice will be assigned to one of the categories listed in the Guide to the Notification of Data Security and Protection Incidents and investigated and managed accordingly.

The DPO will grade the breach and provide appropriate advice with regard to the reporting and management of the breach.

2.2      Defence union indemnity cover

Claims have been challenged by the defence union as they would not support certain types of data breaches, especially if deemed to be malicious. Therefore, the Practice Manager will review the Policy Schedule to confirm that cover is currently provided and, at annual policy renewal, the organisation’s requirements will be discussed to include data breaches.

2.3      UK GDPR reporting requirements

The Information Commissioners Office (ICO) explains that the UK GDPR introduced a duty on all organisations to report certain types of data breach to the relevant supervisory authority. If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR states that those individuals must also be informed directly and without undue delay.

The above must be assessed on a case-by-case basis by the data protection leads within this organisation. As such, any breach must be reported, ordinarily by the SIRO to both the DPO and the IG Lead within 24 hours of becoming aware of the breach. This then allows an assessment and provisional investigation so that a report can be forwarded to the ICO within the mandatory expected timescale of 72 hours following the breach having been known.

2.4      Breach of patient confidentiality

This organisation will:

• Discuss with the defence union as required

• Interview the complainant to establish the reason for the complaint and why The Mortimer Medical Practice is being considered responsible

• Investigate according to the information given by the complainant

• Ensure the investigator records the findings within the reporting system, e.g., unsubstantiated concern, suspected/potential breach, actual breach, etc.

• When necessary, provide a written explanation to the complainant with a formal apology if warranted

• Take and document appropriate action, e.g., no further action as there is no evidence that information was put at risk, advice/training, disciplinary measures, etc.

• Report the breach to the supervisory authority (the ICO) via the DSP Toolkit within 72 hours of being aware of the breach and undertake any recommendations as suggested following the reporting procedure. For support the NHS Digital Data Security Centre can be contacted on 0300 303 5222

2.5      Incorrect disposal of confidential material

This type of incident may lead to a breach of confidentiality and is likely to be reported by a patient affected, a member of the public or a member of staff and could involve paper, hard drive, disks/tapes, etc.

This organisation will:

• Discuss with the defence union if appropriate

• Investigate how the information left The Mortimer Medical Practice by interviewing staff and contractors as appropriate

• Consider the sensitivity of the data and the risk to which the patient(s) has been exposed, e.g., breach of confidentiality, misuse of data

• Consider whether the patient(s) should be informed and, when it is judged necessary, provide a written explanation to the patient(s) with a formal apology

• Ensure the investigator records the findings within the reporting system, e.g., potential breach, actual breach, evidence of misuse, etc.

• Take and document appropriate action, e.g., advice/training, disciplinary or contractual measures, etc.

• Report the breach to the supervisory authority (the ICO) via the DSP Toolkit within 72 hours of being aware of the breach and undertake any recommendations as suggested following the reporting procedure

2.6      Computer misuse by an authorised user

This includes browsing medical records when there is no requirement to do so, accessing unauthorised internet sites, excessive/unauthorised personal use, tampering with files, etc.

This organisation will:

• Discuss with the defence union as required, refer to Section 2.2 and malicious intent

• Interview the person reporting the incident to establish the cause for concern

• Establish the facts by asking the system administrator to conduct an audit on activities by the user concerned

• Establish whether there is a justified reason for the alleged computer misuse

• Consider the sensitivity of the data and the risk to which the patient(s) has been exposed, e.g., breach of confidentiality, the risk that information may have been tampered with and consider whether the patient(s) should be informed

• Ensure the investigator records the findings within the reporting system, e.g., breach of confidentiality, evidence of tampering, fraud, carrying on a business, accessing pornography, etc.

• Take and document appropriate action, e.g., no action as allegation unfounded, training/advice, disciplinary measures, etc.

• Report the breach to the supervisory authority (the ICO) via the DSP Toolkit within 72 hours of being aware of the breach and undertake any recommendations as suggested following the reporting procedure

2.7      Theft or access by an unauthorised person

This type of incident may lead to a breach of confidentiality, the risk that information has been tampered with or information not being available when needed.

This organisation will:

• Discuss with the defence union as appropriate

• Check the hardware asset register to find out whether equipment is missing

• Investigate whether there has been a legitimate reason for the removal of the equipment (such as repair or working away from the usual base)

• If the cause is external, inform the police asking them to investigate and keeping them updated with the organisation’s findings
• Interview staff and check the data asset register to establish what data was being held and how sensitive it is

• Establish the reason for the theft/unauthorised access, such as:

• Items to sell
• Access to material to embarrass the organisation
• Access to material to threaten patients (blackmail, stigmatisation)

• Consider whether there is a future threat to system security

• Inform insurers

• Review the physical security of the organisation

• If there has been unauthorised access to the organisation’s IT system:

• Ask the system administrator to conduct an audit to determine whether unauthorised changes have been made to patient records

• Consider whether any care has been provided to patients whose records have been tampered with

• Check compliance with access control procedures, e.g., ensure passwords have not been written down, staff members are logging out properly, etc.

• Consider the sensitivity of the data and the risk that it has been tampered with or will be misused in order to assess whether further action is appropriate

• If computer hardware or the core software has been stolen, inform the system administrators/suppliers to enable the restoration of system data to new equipment

• Ensure the investigator records findings in the reporting system, e.g., potential or actual breach, evidence of tampering, compromised or delayed patient care etc.

• Take and document appropriate action, e.g., physical security improvements, advice/training, disciplinary measures, etc.

• Report the breach to the supervisory authority (the ICO) via the DSP Toolkit within 72 hours of being aware of the breach and undertake any recommendations as suggested following the reporting procedure

2.8      Lost or misfiled paper medical records

This type of incident could have a severe impact on patient care as the information within a patient’s record may be incorrect or not available when required.

This organisation will:

• Discuss with the defence union if required

• Investigate who last used/had the paper record by interviewing staff and contractors as appropriate
• Consider whether any care has been provided based on incorrect information within a patient record

• Consider whether patient care has been delayed due to information not being available

• Establish whether the missing information can be reconstituted, e.g., from electronic records

• If information within records has been mis-filed, ensure it is restored to the correct filing order/returned to the correct record

• When necessary, i.e., if care is affected, provide a written explanation to the patient with a formal apology

• Ensure the investigator records the findings in the reporting system, e.g., compromised or delayed patient care, etc.

• Take and document appropriate action, e.g., advice/training, disciplinary or contractual measures, etc.

• Report the breach to the supervisory authority (the ICO) via the DSP Toolkit within 72 hours of being aware of the breach and undertake any recommendations as suggested following the reporting procedure

3       Reporting incidents and processes

3.1      Internal process

Incidents should be reported using the appropriate form at Annex A and added to the Information Governance Incident Register and the DSP Toolkit.

The IG Lead, SIRO and DPO must be informed within 24 hours of the incident being identified.

3.2      External process

The Data Protection Act 2018 Section 108 requires that a notifiable breach must be reported to the ICO within 72 hours of The Mortimer Medical Practice becoming aware of it. Noting that while it may not be feasible to fully investigate a breach within this time period, The Mortimer Medical Practice may provide information in phases and as detailed at Section 108 (4).

Serious information incidents are to be reported to NHS E, ICB and the ICO by the IG Lead, Mrs Fiona Harper,  SIRO and DPO, Mr Paul Couldrey ICPT Consulting Ltd. and as detailed within the NHSE guidance titled Guide to the Notification of Data Security and Protection Incidents. Incident reporting should be completed upon the DSP Toolkit and advice and guidance relating to a cyber security incident can be obtained from NHS Digital Data Security Centre on 0300 303 5222.

3.3      Lessons learned

As with any incidents that may have an adverse effect on the organisation, the following consideration is to raise this breach as a significant event, conduct ongoing audits and undertake additional training to ensure that lessons have been learnt.

Furthermore, for data registered incidents, these are to be re-evaluated after a six month period to assess the effectiveness of the implemented actions in ensuring that either the type of incident is no longer being reported or the volume of those types of incidents has reduced. If there is no change in the volume of each type of incident, the management team is to be alerted and appropriate action taken.

To provide staff with an example of what could occur, how to respond to such events and how to avoid them, previous incidents are used in security and confidentiality training sessions.

3.4      When do individuals have to be notified?

When a breach is likely to result in a high risk to the rights and freedoms of individuals, those concerned must be notified directly.  A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant authorities as above. The Mortimer Medical Practice should also consider duties of candour. 

Regulation 20: Duty of Candour explains the requirements in detail including providing supporting examples for the different areas of healthcare provision and how the CQC regulates the duty of candour. Both the statutory duty of candour and the professional duty of candour have similar aims. These are to make sure that those providing care are open and transparent with those people using their services whether or not something has gone wrong.

The IG Lead, SIRO and DPO will make an assessment about informing individuals of any breaches. When notifying any individual of a data breach, guidance can be sought from the NHS E guidance titled Personal data breaches and related incidents where the following letters may be used as a guide:

• Notification letter template
• Follow-up letter template

Further detailed information is available within the organisation’s Duty of Candour Policy.

Annex A – Breach reporting form

INFORMATION GOVERNANCE REPORTING FORM

Refer to this form to report the details of any actual or potential incidents that affect the confidentiality and security of patient information. It should then be given to the Senior Information Risk Owner for further action.

General information
Register number: (to be added by IG Lead)
Reported by:		Date/time detected:
Title:		Date/time reported:
Email:	Telephone:
Incident details
Incident summary (state the facts only, where it occurred, what information was involved etc.):
Type of Incident (tick a category):      Confidentiality (e.g., breach due to unauthorised access, potential breach due to lost record, etc.)Integrity (e.g., records altered without authorisation, etc.)Availability (e.g., records missing, mis-filed, theft etc.)
Impacts on the organisation: (Total failure, business as usual etc.)
Type of system(s) affected: (Clinical, patient information, finance, administration)
What is the information?
What security controls were in place?
Was the information encrypted?
Scale of incident: How many individuals is the information about?
Incident details,(state the facts only, where it occurred, what information was involved, what did you do, who will/have you reported to etc.)
Investigation and management
Name of person investigating:		Date of commencement of investigation:
Investigations, findings, actions and recommendations:
Post-incident reporting
Incident and investigation outcome reported to: (add any other relevant notes here, e.g., issue and outcome discussed at staff meeting)		ICB YES/NO
		Information Commissioner YES/NO
		Organisation insurer YES/NO
		CQC YES/NO
		Other