Personal data breaches
Health and care organisations are committed to handling information safely and securely. Personal data breaches are rare. In those instances, this guidance is designed to help health and care organisations deal with personal data breaches, for example, losing personal information. It provides advice on what a personal data breach is and the steps that need to be taken if a breach occurs.
- I'm a patient/service user - what do I need to know?
- I work in a health and care organisation - what do I need to know?
- I'm an IG Professional - what do I need to know?
Guidance for patients and service users
Health and care organisations hold data about you and are required by law to keep this information secure from loss, inappropriate disclosure or access. This includes electronic and paper records.
However, accidents may occasionally happen and your records may have been used in ways that they shouldn’t have, shared inappropriately, or have been destroyed without authorisation. If this happens, steps will be taken to ensure that it doesn’t happen again, that the risks to you and your care are minimised, and everyone learns from the mistake.
If there is a breach to the security of your information and there is a high risk to your rights and freedoms, you should be informed by your health and care organisation. Your health and care organisation will also inform the Information Commissioner’s Office (ICO), for example, if your personal information was lost in a public place. Your health and care organisation may contact you directly, for example, by sending you an email or letter. Alternatively, they may put information on their website.
If you discover a potential data breach, you can contact the organisation who you think has caused the breach and make a complaint through its complaints process. If you are dissatisfied with the outcome of your complaint, you can contact the Information Commissioner’s Office and raise the issue with them.
Guidance for healthcare workers
Information security is the responsibility of each individual local health and care organisation, from GP practices to hospital trusts.
Ensuring health and care data is protected and used safely is a priority for the NHS. There are several safeguards in place to ensure that data is used across the health and care system in a safe, secure and legal way.
You are required by law to protect the personal or confidential patient information you use when providing care. This means ensuring it is only accessed by those that need it, providing only information required for that purpose, and ensuring you have consent or another legal basis to share the information.
What is a personal data breach?
There may be occasions when things go wrong. A personal data breach means an accidental or deliberate breach of security which leads to:
The loss or unlawful destruction of data
This could include, for example, an unencrypted memory stick containing health and care data is lost.
Alteration of data
This could include a staff member (or hacker) maliciously changes something in a patient or service user record. For example, deliberately changing a medication dosage from milligrams (mg) to grams (g).
This could include an email containing information about a patient being sent to the wrong email address.
This could include looking at more information than necessary on a patient or service user, or knowingly requesting (and obtaining) access to information that is not relevant to your role. For example, a geriatrician requesting access to paediatric systems or records.
What to do if you think there has been a data breach
If you become aware of a personal data breach, you should follow your organisation’s procedure for reporting a data breach. Usually, this is in your IG policy, and will require you to report the incident via the incident reporting process in your organisation or tell your Data Protection Officer (DPO) if you are unsure what to do.
You should report a data breach as soon as you become aware of it via your organisation’s incident reporting process. Your report should set out what has happened and any steps you have taken in response to the breach. For example, "email containing the name, DOB and NHS number of a patient sent to the wrong Jane Smith on 5 March. Recalled the email and asked the recipient to delete it and they have confirmed this." You should contribute to any investigation carried out.
If you are not sure if a breach has occurred, you should still report the breach via your organisation’s incident reporting system. You should also consider reporting "near miss" data breaches. A near miss is where a breach could have occurred if an incident had developed or been left. An example is leaving patient records unsecured in a main hospital corridor used by the public. Reporting near misses helps your organisation consider changes to ensure that information is kept secure.
A community nurse’s car is broken into and his laptop is stolen. He uses the laptop to access a spreadsheet containing the personal data of his patients. The spreadsheet is encrypted and stored on the network drive. The community nurse reports the theft via his organisation’s incident reporting procedure, so that the IG team can decide upon next steps.
Guidance for IG professionals
The Data Protection Act 2018 and UK GDPR places a legal duty on controllers to secure the personal data they process. However, things can go wrong and it is important that you understand what to do in the event of a breach.
Deciding on the severity of a breach and whether it needs reporting
NHS Digital’s breach assessment grid supports you in deciding the severity of any breach using a risk score matrix. The risk score helps to determine whether the breach needs to be reported.
Incidents that result in a low score, where there is minimal risk to the affected people, may not need to be reported on the tool as set out in the matrix. You may however wish to record the incident on your local incident reporting system. This will help you detect patterns of incidents or local remedial action which needs to be taken, for example, updating procedures in response to an incident. You should also record locally your decision of why you decided to not report an incident via the DSPT tool.
Any personal data breach that is likely to result in a medium to high risk to the rights and freedoms of those affected will score highly on the matrix and must be reported on the tool. The tool will then automatically report the incident to the ICO and the Department of Health and Social Care (DHSC) as required. You will receive notification from the ICO that the incident has been logged with them.
Data breaches by someone processing data on your behalf must be reported by the controller of the data where required by the matrix. For example, if there was a data breach by a GP system supplier, the GP practice would need to report it. Processors are legally required to inform controllers of any breach they become aware of.
The diabetic department at a local acute hospital accidentally sends a list of patients to the podiatry team instead of the dietician team. This results in members of the podiatry team seeing the personal data of patients they are not caring for. The IG team records the breach on their system and reports it via the DSPT. The risk matrix is used to help determine the severity of the breach. The incident has occurred, but is considered minor because the data was not shared externally, and only a small number of individuals received the list. The score determines that the incident will be reported via the tool to the ICO, but not to the DHSC.
How do I report a breach?
Breaches should be reported on NHS Digital’s reporting tool, which can be accessed via the Data Security and Protection Toolkit. Once you’re signed in, you should look for the "report an incident" menu link. The tool allows reporting in one place and details are passed by NHS Digital through the tool to the Information Commissioner’s Office (ICO) and the Department of Health and Social Care (DHSC) where required.
When reporting an incident you should cover:
- the nature of the breach (including the type of data involved, numbers affected, or other relevant information)
- the name of the DPO or other suitable contact point
- the likely consequences to the data subjects that may arise as a result of the breach
- what measures you have taken, or proposed to take, to resolve the breach and to mitigate the consequences
You don’t have to provide all the information at this stage as it might not be known. However, as you become aware of information relating to the breach, then you should provide this on an ongoing basis. You must also document and report internally, any data breaches as the ICO may ask for this information as a way of verifying compliance with UK GDPR.
When should I report a breach?
If you decide a breach needs reporting, you should report it via the DSPT tool without undue delay, or in any case, within 72 hours (3 days) of becoming "aware" of the incident. You may require a brief period in which to investigate security incidents in order to establish with a reasonable amount of confidence that a breach has occurred. It is at this point you have become "aware" of the incident and your 72 hour period starts. The time of the incident being reported may be different from the actual time of the incident. Within that 72 hour window, you can choose when to report. For example, you might spend the first 48 hours investigating the incident and putting in place remedial actions and then report the incident via the DSPT tool.
Some samples for blood tests go missing in a lab. The samples contain personal data and details of what is being tested for. This is flagged as a clinical risk, but in parallel it is reported to the IG team because of the loss of personal data. The lab technician who received the samples is on leave for a day, so the IG team decides to wait 24 hours before reporting. Upon his return the samples are found. The lab procedures are updated to ensure all samples are logged immediately.
Do I need to inform patients and service users about a breach?
Where there is a high risk to an individual’s rights and freedoms, you have to contact those who are affected by the breach. For example, where an individual’s name and address has been breached due to using a third party processor who did not have adequate security in place, and identifiable data taken by the attacker, this could be used to commit identity fraud. This should be reported to the individuals who are impacted.
However, unless the ICO compels it, you do not need to inform patients or service users of a breach if:
- Appropriate organisational or technical measures were in place at the time the breach occurred, which made the data unusable or inaccessible. For example, the data or device was encrypted by your IT department before it was stolen.
- You have taken measures to ensure that any high risk impacts on the patient or service user are now unlikely to happen. For example, you have corrected the data you hold that was maliciously altered during a cyber attack.
- Disproportionate effort would be needed to inform the patient or service users of the breach. In which case, a public message on the website or in local newspapers alerting patients or service users to the incident would suffice, provided there is enough detail to inform the reader of the event. An example of this might be where a breach has occurred, but it is not possible (without disproportionate effort) to identify those affected, so a public message is sent out asking people to contact you if they think they have been affected.
- Personal data is recovered (returned or securely destroyed) from a "trusted partner organisation." A trusted partner organisation could be the wrong department of your organisation. It could also be an organisation where you have an ongoing relationship, so you know their history and procedures. This could provide you with assurance that they will not read or access the data sent in error and comply with instructions to return it. Even if the data has been accessed, the controller could still possibly trust the recipient not to take any further action with it and to return the data to the controller promptly.
When informing an individual of a breach, you should describe, in clear and plain English, the nature of the personal data breach and at least:
- the name and contact details of any DPOs you have, or other contact point where more information can be obtained
- a description of the likely consequences of the personal data breach
- a description of the measures taken or proposed, to deal with the personal data breach and, where appropriate, a description of the measures taken to mitigate any possible adverse effects
If possible, you should advise individuals on the steps they can take to protect themselves, and what you are willing to do to help them.
Here are letter templates for you to adapt and use if you wish:
Notification letter template (ODT, 17KB)
Follow-up letter template (ODT, 15KB)
An administrator in a social care team contacts a service user to inform them of a change to their care package, but contacts the wrong service user with the same name. Upon investigation, the social care team realises not only was the wrong service user contacted, but the wrong care record was updated too. The social care team reports the incident via the DSPT. The incident is reported via the DSPT to the ICO because of the potential impact upon the individual. The social care team contacts both service users to inform them of the breach.