1. No category

The Reporting of Serious IG Incidents Policy

Policy No:
IG11
Version:
1.0
Name of Policy:
The Reporting of Serious IG Incidents Policy
Effective From:
02/06/2015
Date Ratified
Ratified
Review Date
Sponsor
Expiry Date
Withdrawn Date
07/05/2015
Health Informatics Assurance Group (HIAG)
01/05/2017
Director of Finance and Informatics
06/05/2018
Unless this copy has been taken directly from the Trust intranet site (Pandora) there is no assurance that
this is the most up to date version
This policy supersedes all previous issues.
The Reporting of Serious IG Incidents Policy v1
1
Version Control
Version
1.0
Release
Author/Reviewer
Ratified
Date
by/Authorised by
02/06/2015
Marie Galloway,
Information
Governance Officer
Health
Informatics
Assurance Group
(HIAG)
The Reporting of Serious IG Incidents Policy v1
07/05/2015
Changes
(Please Identify
Page No.)
New Policy
following HSCIC
Guidance
2
Contents
Section
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
Page
Introduction .................................................................................................................................. 4
Purpose ......................................................................................................................................... 4
Scope ............................................................................................................................................ 4
Information Assets ....................................................................................................................... 5
Definitions .................................................................................................................................... 5
Duties and Responsibilities........................................................................................................... 5
What is a Serious IG Incident........................................................................................................ 6
Adverse Effects of Data Breaches................................................................................................. 7
Initial Reporting ............................................................................................................................ 7
On-Call Arrangements .................................................................................................................. 7
Hosted Organisations ................................................................................................................... 8
Informing Data Subjects ............................................................................................................... 8
Assessing the Severity of an IG Incident....................................................................................... 8
Near Misses .................................................................................................................................. 10
The Management and Reporting of IG Incidents ........................................................................ 10
15.1. Logging an IG Incident ..................................................................................................... 10
15.2 Incidents Categorised 0-1 ................................................................................................ 10
15.3 Incidents Categorised 2 and Above ................................................................................. 10
15.4 Final Reporting, Closure and Lesson Learned Activity .................................................... 11
External Reporting ........................................................................................................................ 12
Reporting and Publishing Details.................................................................................................. 12
Financial Penalties ........................................................................................................................ 13
Training ......................................................................................................................................... 13
Implementation ........................................................................................................................... 13
Distribution ................................................................................................................................... 13
Equality and Diversity ................................................................................................................... 13
Monitoring and Compliance of the Policy .................................................................................... 14
Reference Material ...................................................................................................................... 14
Associated Documentation .......................................................................................................... 15
APPENDICES
Appendix 1: Examples of Potential Data Breaches.................................................................................... 16
Appendix 2: IG SIRI Process ....................................................................................................................... 19
Appendix 3: Examples to Demonstrate the IG SIRI Severity Assessment Score ....................................... 20
Appendix 4: IG SIRI Investigation Checklist Report ................................................................................... 22
Appendix 5: Action Plan to Mitigate Risks Involved in the IG SIRI ............................................................ 25
Appendix 6: Useful Contacts for Potential IG SIRIs ................................................................................... 26
The Reporting of Serious IG Incidents Policy v1
3
The Reporting of Serious IG Incidents Policy
1.
Introduction
From June 2013 all organisations that process health and adult social care personal data must
report all serious information governance incidents assessed at a level 2 or more via by the HSCIC
IG Toolkit Reporting Tool to the Department of Health (DH), the Information Commissioner’s Office
(ICO) and other regulators.
The purpose of this Policy is therefore to set out a clear process for the reporting of all Information
Governance Serious Incidents Requiring Investigation (IG SIRI) which occur in the Trust and to
ensure appropriate actions are taken in terms of communication and follow up action plans with
the SIRO and IG Lead, where appropriate.
Local clinical and corporate incidents will still continue to be reported using local procedures and
management tools (e.g. the Strategic Executive Information System - STEIS) as outlined in the
Incident/Near-Miss Reporting and Investigation Policy (including Serious Incidents) but any possible
notification of any serious IG SIRIs for the attention of the ICO and the DoH will pursue this Policy
with immediate effect.
The process is a reflection of the Health and Social Care Information Centre (HSCIC) “Checklist
Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents
Requiring Investigation”, June 2014 v3.
2.
Purpose
The Trust is committed to improving its programme of risk management and incident reporting.
Reporting incidents is an integral part of clinical and corporate governance. This Policy will help:•
Support the Trust’s Risk Management Programme where risks are identified, reported
through the appropriate channels and are investigated and assessed with subsequent
actions carried out.
•
Ensure the management of IG SIRIs conforms to consistent and agreed processes and
procedures as set out by our legal and regulatory obligations. This including the reporting of
near misses and actual IG SIRIs.
•
To ensure appropriate action is taken to prevent damage to patients, staff and the
reputation of the Trust and any other third party or organisation.
•
Assist in the safeguarding of the Trust’s Information Assets and information flows.
•
To embed a culture of openness for reporting incidents.
•
To identify issues and lessons learned from each SIRI so that these can be communicated to
staff and policies updated as and when necessary to ensure there is no reoccurrence of the
incident.
3.
Scope
This policy applies to:•
The Trusts administrative and business activities that are considered to be information
governance or data security related.
•
To all staff employed within the Trust regardless of status i.e. permanent, temporary,
volunteer or casual/agency staff. All staff are expected to be aware of this Policy and to
understand their responsibilities in following this guidance.
•
Any form of media including both electronic and paper records.
The Reporting of Serious IG Incidents Policy v1
4
4.
Information Assets
Information assets come in many guises. The following list is therefore an illustrative of what is a
typical asset:-
•
•
•
•
5.
Personal Information Content
Databases and data files
Back up data and archived data
Audit data (containing personal
identifiers)
Paper records (for e.g. patient/staff
notes and records
Definitions
Abbreviation
DPA
DoH
HSCIC
ICO
IAO
IAA
NHS
SI
SIRI
SIRO
6.
•
Software/Hardware
Computing hardware including PCs,
Laptops, PDA, iPhones, iPads and
removable media
Description
Data Protection Act 1998
Department of Health
Health and Social Care Information Centre
Information Commissioner’s Office
Information Asset Owner
Information Asset Administrator
National Health Service
Serious Incident
Serious Incident Requiring Investigation
Senior Information Risk Officer
Duties and Responsibilities
Job Title
Chief Executive Officer
(CEO)
The Senior Information
Risk Officer (SIRO)
Caldicott Guardian
Description
The Chief Executive is responsible for ensuring that the Trust has an
appropriate framework in place that complies with the Trust legal
and statutory obligations.
The Director of Finance and Informatics is the Trust’s appointed
SIRO. The SIRO will:• Take ownership of the Trust’s risk management and incident
management framework.
• Ensure all information risks and assessments arising from
any IG SIRI incidents are identified and managed
appropriately.
• Support the IAOs/IAAs in ensuring that any information risks
arising from any incidents have been mitigated for the
future.
• Advise the Chief Executive and any other relevant Trust
Boards and accounting officers on the information risks and
internal controls of the Trust.
• Lead and foster a culture of openness that values and
protects the integrity and confidentiality of information
successfully for the benefit of our customers and
stakeholders.
The Trust’s Medical Director (Caldicott Guardian) will assist with all
IG SIRIs for all information governance assurance purposes.
The Reporting of Serious IG Incidents Policy v1
5
Job Title
Deputy Director of
Informatics
Information Governance
Officer
Service Leads/Line
Managers
Description
Overall responsibility for the IG Incident Reporting framework lies
with the Deputy Director of Informatics who has delegated the
management and implementation of this framework to the IG
Officer.
The Trust’s Information Governance Officer is responsible for the coordination, investigation and assessment of any potential IG SIRIs
and for the provision of guidance and advice on the application of
this policy and the IG Toolkit Incident Reporting Tool. All serious IG
incidents will be reported by the IG Officer via the IG Toolkit Incident
Reporting System.
All line managers are responsible for communicating this policy to
their teams/staff and ensuring that staff attend all IG training
events.
This will ensure that policies such as these applicable to all service
areas are implemented appropriately and staff understand their
responsibilities in respect of dealing with IG SIRIs.
Line managers are also responsible for monitoring compliance with
this guideline for e.g. undertaking ad hoc audits to check for
inappropriate disclosures, records left out, abuse of passwords etc.
when necessary.
7.
What is a Serious IG Incident
There is no simple definition of what constitutes a serious IG incident. What may at first appear to
be of trivial nature may, on further investigation, be a serious incident.
As a guide incidents are normally classified as either a breach in confidentiality or a breach in data
security. The common theme being that there has been:•
A failure to meet the actual requirements of the Data Protection Act 1998, the Caldicott
Principles and the Common Law of Confidentiality.
•
An unlawful disclosure of/or misuse of confidential information and the recording or
sharing of data to inappropriate parties which is considered an invasion of a person’s
privacy for e.g. a piece of paper identifying a patient found in a back lane or high street.
Some common examples are listed below.
Breaches of Confidentiality
•
Accessing unauthorised computer systems fraudently or using/sharing other employee
logins, passwords, smart cards etc.
•
Disclosing confidential information to individuals who have no legitimate right of access e.g.
bogus callers, individuals not involved in the service delivery.
•
Sending a fax or email to the wrong person or organisation.
•
Discussing patient information in a public open area where the conversation can be
overhead by third parties.
•
The ability to see and read patient/staff records in an office or an employee’s car.
•
The loss of paper files and computer print outs.
Breaches of Data Security
•
The loss of mobile/hardware devices due to crime or an individual’s carelessness for e.g.
laptops, cd’s, memory sticks, mobiles, IPADS etc.
•
Sending emails containing personal details to unsecure email addresses.
The Reporting of Serious IG Incidents Policy v1
6
Conversely, when lost data is protected for e.g. by appropriate encryption there is no data breach
so long as the personal data cannot be accessed (though there may be clinical safety implications
that require the incident to be reported down a different route).
This is not an exhaustive list and should only be used as a guide. More examples are provided in
Appendix 1. If in doubt, staff should speak to their line manager or the IG Team in the first instance
for further advice.
8.
Adverse Effects of Data Breaches
Personal data breaches are those that have significant adverse effects on those involved in serious
IG incidents. An adverse impact can be defined as any of the following:•
A threat to a person’s safety or privacy of an individual
•
Identify theft – credit ratings affected
•
Financial losses for e.g. loss of employment
•
Unwarranted distress and damage to an individual
From the Trust’s point of view such a serious incident may cause:•
Embarrassment and negative publicity
•
A potential monetary fine or enforcement notice issued by the Information Commissioner’s
Office (i.e. the ICO) of up to £500,000 per serious offence
•
Disruption to business practices
9.
Initial Reporting
Whenever a suspected IG SIRI incident has occurred it is imperative staff report the incident to their
line manager (i.e. the IAO) and follow the Trust’s Incident/Near-Miss Reporting and Investigation
Policy (including Serious Incidents) reporting the details of the incident into the Trust’s Incident
Reporting System, Datix. This checklist guidance should be used by all staff managing IG SIRIs.
Although most incidents will be applicable to near misses”, staff are encouraged to report these
misses in order to help us identify procedural framework issues and to disseminate lessons learnt
to other departments.
More serious IG SIRIs must be reported informally to key staff for e.g. the SIRO, Caldicott Guardian,
Deputy Director of Informatics, Communication Team and the IG Officer (unless already informed)
so that they are forewarned and are in a position to deal with any enquiries from any third parties.
Early notification and preparation is key to dealing with IG SIRIs. Where an IG SIRI incident occurs
out of hours, current on-call arrangements will need to be followed to ensure that the correct
contacts are notified.
(Please refer to Appendix 2 for a graphic summary of the IG SIRI Process).
10.
On-Call Arrangements
For incidents out of hours the arrangements to be followed are as follows:•
The member of staff must contact the Senior Manager On-Call of any suspected IG SIRI.
•
On verification of the incident and its severity, the On-Call Manager must then contact the
Director On-Call.
•
The Director on call should (where an incident is of national or regional media interest or
where it is involves particularly sensitive data, including high volumes of personal data that
potentially may cause significant detriment or distress to individuals), inform the Corporate
Management Team, the Head of Communications, and the Deputy Director of Informatics.
•
Details of the above appropriate contacts listed above are outlined in Appendix 6.
The Reporting of Serious IG Incidents Policy v1
7
11.
Hosted Organisations
For any teams/departments which are hosted by Gateshead Health NHS Trust (for e.g. where the
Trust provides the IT network), it is imperative that this local policy is adhered to and the incident
reported to the relevant roles as stipulated in section 10.
12.
Informing Data Subjects
Consideration should always be given to informing the data subjects/individuals concerned when
personable identifiable information about them has been lost or inappropriately placed in the
public domain. Where there is any risk of identity theft or unwarranted distress it is strongly
recommended that this is done appropriately in writing.
13.
Assessing the Severity of an IG Incident
All IG SIRI’s categories are determined by the context, scale and sensitivity of the incident.
The primary factors for assessing the severity level of any incident is indicated by the:•
Numbers of individuals (i.e. data subjects) affected by the incident
•
Potential for media interest
•
Reputational damage of the Trust
Incidents that usually warrant a higher rating include:•
Potential litigation
•
If the incident has been reported to a statutory body for e.g. the ICO
•
The potential for unwarranted distress or damage to the individual(s)
•
Financial damage to the individual(s)
The sensitivity of the information may raise or lower the categorisation of an incident. An incident
may have characteristics that both cancel each other out. For the purpose of the IG SIRI incidents
sensitivity factors may be:•
Low – this will reduce the base of the categorisation
•
Medium – has no effect on the base categorisation
•
High – increase the base categorisation
The steps to take in working through this exercise are as follows:Step 1: Baseline Assessment
Any incident will need to have a baseline assessment which will allow the final score to be
identified. To establish the baseline the incident must be scored using the table below:
The Reporting of Serious IG Incidents Policy v1
8
Where the numbers of individuals that are potentially impacted by an incident are unknown, a
sensible view must always be taken of the worst scenario to make an informative assessment of the
SIRI Level. All SIRI’s are considered potentially serious but the number of individuals that potentially
may suffer distress, harm or any other detriment is a big deciding factor in working out the IG level
incident score.
Step 2: Sensitivity Scoring
Next you must score the sensitivity characteristics of the information inappropriately disclosed
which may increase or reduce the baseline score.
As more information becomes available, the SIRI level may need to be reassessed to reflect the true
value of the information risk.
If the likelihood of media interest was initially assessed as minor but was then changed due to
unforeseen circumstances (for e.g. a relevant FOI request or specific journalist interest) the IG SIRI
level would need to be revised quickly to reflect this with all key bodies notified. Note that
informing the data subjects is likely to put an incident into the public/media domain too.
The Reporting of Serious IG Incidents Policy v1
9
Where the adjusted score indicates that the incident is a level 2 or more, the incident will be need
to be reported to the ICO and the DoH automatically via the IGTK Incidents Reporting Tool. This is
done by the Trust’s IG Officer.
Step 3: Indicated IG SIRI Score
The IG SIRI score levels are indicated below:Level
0
1
2 and
above
Description of the Type of Incident
A near miss / non-event.
Confirmed as an IG SIRI but there is no need to report the
incident to a statutory body for e.g. the ICO, DH and other
central bodies.
Confirmed as an IG SIRI that must be reported to the ICO,
DoH and other central bodies.
Reportable to a
Statutory Body
Not reportable
Not reportable
Reportable
Please refer to Appendix 3 for examples of how to score serious IG incidents).
14.
Near Misses
If an incident is found to have neither occurred or the severity of the category has been reduced
due to factors that were not planned for the incident this may be recorded as a “near miss”. This
will allow the Trust to undertake a lessons learned exercise and to put into place appropriate
actions.
Diligent employees should always question procedures, protocols and events that they consider
could cause damage, harm, distress, or non-compliance of national guidance or brings the Trust’s
name into disrepute. This will help the Trust to minimise any disruption to business practices.
15.
The Management and Reporting of IG Incidents
15.1.
Logging an IG Incident
Upon receiving the Datix notification the IG Officer will assess the IG incident using the
HSCIC guidance to determine if the severity score has been applied correctly. (Appendix 2)
15.2
Incidents Categorised 0-1
For incidents that are scored 0 -1, the relevant senior member of staff in the department
where the breach has occurred will be the appointed investigator. The Trust’s IG Team will
provide support and guidance and any relevant training where required. It will be an
integral part of the action plan that any action taken minimises:•
Any potential adverse effects of those affected by the incident.
•
Reduces the SIRI risk of the incident happening again in the near future. It is worth
pointing out that where the same repetitive incidents are occurring there is the
potential for the Information Commissioner’s Office to fine the Trust for not taking
appropriate action even at level 1 ratings.
15.3
Incidents Categorised 2 and Above
For incidents that score 2 and above the IG Officer will:-
The Reporting of Serious IG Incidents Policy v1
10
•
•
•
•
•
•
•
•
•
•
15.4
Inform the Trust’s SIRO, Caldicott Guardian and Deputy Director of Informatics in
the first instance before it is officially reported to any statutory body (unless this
has already been done).
Report the incident to the HSCIC via the online IG Toolkit Reporting Incident Tool
within 24 hours of the event occurring. The reporting tool will require the following
details:o
Date and time of the location, including a factual description of the incident
o
Breach type
o
Details of the Trust’s incident management arrangements
o
The type of disclosure – theft, accidental loss, unauthorised disclosure,
procedural failure etc.
o
The number of individuals and records involved
o
The format of the information and whether the data was encrypted
o
If the SIRI is already in the public domain and whether media interest exists
o
If any legal implications exist
Co-ordinate the investigation across all relevant department boundaries within 5
working days.
Engage with appropriate managers and specialists to instigate a Root Cause
Analysis of the incident using the IG SIRI Reporting Checklist Report template in
Appendix 4.
Ensure all interviews, findings and the content of evidence is reviewed,
documented and reported to appropriate senior line management and preserved
for future retrieval.
Maintain an audit trail of events and evidence supporting decisions taken during
the investigation.
Inform the data subjects (e.g. patients, service users, staff), especially whether
there is potential for identity theft or unwarranted distress which can be avoided or
mitigated if the data subject is notified of the incident.
Draw up an action plan (see Appendix 5) in conjunction with the appropriate
service line to institute any recovery plans and instigate measures to prevent
recurrence.
Invoke staff disciplinary procedures, where necessary, if staff are in serious breach
of the Trust’s IT and Information Security Policy or any IG Policy framework.
Identify any lessons learnt to be reflected in any policy/procedure revisions.
Final Reporting, Closure and Lesson Learned Activity
It will be the responsibility of the IG Officer to:•
To set an appropriate timescale for completing and finalising the investigation and
action plan.
•
To produce a final report for senior staff and the Trust’s Steering Groups /
Committees / Boards for e.g. the Health Informatics Assurance Group (HIAG) and
the Health Informatics Strategy Group (HISG).
•
To determine who is responsible for disseminating the lessons learnt during the
investigation.
•
Close the SIRI. The HSCIC Guidance states it is reasonable to expect cases to be
closed within 3 months. This must only be when all aspects, including any
disciplinary action against staff are settled and complete.
•
Inform the Trust Board’s responsibilities of external reporting requirements
regarding IG SIRIs.
All actions taken to mitigate any risks pending a SIRI Incident must also be reflected in any
risk registers and business continuity arrangements.
The Reporting of Serious IG Incidents Policy v1
11
16.
External Reporting
AII severity incidents reported via the IG Toolkit Incident Reporting Tool will trigger an automated
notification email to the Department of Health, Health and Social Care Information Centre and the
Information Commissioner's Office, and any other appropriate regulators in the first instance.
IG SIRIs marked as ‘open’, ‘withdrawn’ or ‘duplicate’ are not published. Only those closed are
published quarterly by the Health and Social Care Information Centre (HSCIC). It is therefore
integral to the investigation that all information collected and recorded is reliable, accurate and up
to date and does not include any information that would not normally be released under the
Freedom of Information Act 2000. Trust staff are reminded that aspects of these records are
published into the public domain following closure.
Such records can be reopened on the IGTK Incident Reporting Tool where proceedings need to be
updated.
The decision to inform other regulators must also be taken where the circumstances of the
incident, for e.g. where there are risks to patient safety under the Care of the Trust are affected for
e.g. the NHS England Patient Safety Division may need to be informed if this is the case.
17.
Reporting and Publishing Details
Any incident of a serious IG nature with a level 2 rating or more must be reported in the Trust’s
Annual Reports and Governance Statements as significant control issues. These reports must be
published via the Trust’s website. The Board will observe the following publication principles:•
All public statements made in relation to any incident will be consistent with those released
under the Freedom of Information Act 2000 and published in Annual Reports and
Statements.
•
Information will not be released where it is not considered suitable for e.g. where the
incident is sub judice and cannot be reported publicly due to pending legal proceedings
Incidents will need to be reported at an individual level regardless of their open or closed status as
in the demonstrated example below:Table 1: Level 2 Incidents
SUMMARY OF SERIOUS INCIDENTS REQUIRING INVESTIGATIONS INVOLVING PERSONAL DATA AS
REPORTED TO THE INFORMATION COMMISSIONER’S OFFICE IN (FINANCIAL YEAR)
Date of Incident
Nature of
Nature of Data
Number of Data
Notification
(month/year)
Incident
Involved
Subjects
Steps
Potentially
Affected
April 2015
Further Action on
Information Risk
50 clinical files
Name, address,
50 people
Informed the
lost
clinical notes
ICO
The Trust will continue to monitor and assess its information risks, in lights of
the events noted above, in order to identify and address any weaknesses and
ensure continuous improvement of its systems.
The member of staff responsible for this incident has been (please add action).
Details of all level 1 IG incidents must be aggregated and reported in the SIRO and Annual Reports
using the following format below:-
The Reporting of Serious IG Incidents Policy v1
12
Table 2: Level 1 Incidents
SUMMARY OF OTHER PERSONAL DATA RELATED INCIDENTS IN (FINANCIAL
YEAR)
Category
Breach
Total
A
Corruption or inability to recover electronic data
B
Disclosed in error
C
Lost in transit
D
Lost or stolen hardware
E
Lost or stolen paperwork
F
Non-secure disposal–hardware
G
Non-secure disposal–paperwork
H
Uploaded to website in error
I
Technical security failings (including hacking)
J
Unauthorised access/disclosure
Incidents rated at a severity rating of 0 will not need to be reflected in any report or statement.
18.
Financial Penalties
Staff are reminded of the enforcement powers of the Information Commissioner’s Office (ICO). The
ICO now has the power to issue monetary fines of up to £500,000 for serious breaches of the Data
Protection Act 1998 and the Privacy and Electronic Communications Regulations. Data controllers
have the right to appeal against a monetary penalty to the First-tier Tribunal (Information Rights)
but this does not mean that the fine will be overturned.
19.
Training
All staff will continue to be informed about the importance of reporting information governance
related incidents via the Trust’s mandatory training programme. A variety of media such as
handouts, staff newsletters, emails and bespoke training sessions will also support this. Lessons
learned will be fed back into future training to encourage further participation and to demonstrate
the value of reporting incidents and near misses to IT, the IG Team and relevant committees.
20.
Implementation
All staff are required to comply with the requirements of this Policy; failure to do so may result in
disciplinary action. This policy is implemented in conjunction with the Trust’s Policy for the
Development, Management and Authorisation of Policies and Procedures.
21.
Distribution
This policy will be distributed by the Information Governance Team via the staff intranet at
www.qegateshead.nhs.uk.
22.
Equality and Diversity
The Trust is committed to ensuring that, as far as is reasonably practicable, that the way we deliver
our services does not affect or discriminate individuals on any equality or diversity grounds
(protected characteristics under the Equality Act 2010). An equality analysis was undertaken for
this policy and it was concluded that no individuals were affected by this policy.
The Reporting of Serious IG Incidents Policy v1
13
23.
Monitoring and Compliance of the Policy
Responsibility for this Policy rests with the Information Governance Team. The performance of this
Policy will be monitored by our auditing requirements and will be updated to reflect changes in
national guidance, case law and the Trust’s reporting structure, whenever necessary.
Standard/Process/Issue
Staff compliance of
reporting serious IG
incidents
Numbers and types of
serious IG Incidents
occurring
Completion of IG
training
Completion of
appropriate action
plans to prevent
incident reoccurrence
Internal and External
Audit Feedback
IG complaints from
service users
Enforcement
Method
Datix and quarterly
reports to the HIAG
Numbers, location,
severity, type of
incidents,
reoccurrence etc.
No. of staff attending
training sessions
monitored by O&D /
HIAG
Action plans are
implemented and
monitored regularly
by teams/depts.
Recommendations
from audits to feed
back into the process
No. of complaints
received from
patients and staff
about the use or
misuse of their data
Enforcement notices,
fines and enquiries
from formal bodies
Monitoring and Audit
By
HIAG
IG
HIAG
Officer
Frequency
Every 6 months
IG
Officer
HIAG
As and when
necessary
O&D
and IG
Officer
HIAG
Quarterly
IG
Officer
HIAG
As and when
necessary
IG
Officer
HIAG
Quarterly
IG
Officer /
Health
Records
Mgr.
IG
Officer/
Security
Mgr.
HIAG
Ongoing
HIAG
Ongoing
The Information Governance Officer will produce annually and bi-monthly reports presented to the
Health Informatics Assurance Group (HIAG) to demonstrate compliance with this policy.
24.
Reference Material
•
Checklist Guidance for Reporting, Managing and Investigating Information Governance
Serious Incidents Requiring Investigation: Health and Social Care Information Centre
(HSCIC) June 2014 v3:
https://www.igt.hscic.gov.uk/resources/IGIncidentsChecklistGuidance.pdf
•
Notification of Data Security Breaches to the Information Commissioner’s Office, July 2012,
V1:
https://ico.org.uk/media/for-organisations/documents/1536/breach_reporting.pdf
•
The ICO Guide to Data Protection:
https://ico.org.uk/for-organisations/guide-to-data-protection/
The Reporting of Serious IG Incidents Policy v1
14
25.
Associated Documentation
IG01 - Information Governance Strategy
IG06 - Confidentiality and Data Protection Policy
OP06 - IT and Information Security Policy
RM04 - Incident/Near-Miss Reporting and Investigation Policy (including Serious Incidents)
The Reporting of Serious IG Incidents Policy v1
15
Appendix 1: Examples of Potential Data Breaches
Type of Breach
Unauthorised
Access/Disclosure
Disclosed in Error
Loss of
Hardware/Software
Loss of Paperwork
Examples Covered by this Definition
This category covers:• Accessing a person’s record inappropriately e.g. viewing your own
health record or family members, neighbours, friends etc. of which
the person has no legitimate right of access;
• Sharing or writing down passwords and not locking them away;
• Using other employee’s user’s IT accounts, login IDs and swipe cards
for access e.g. Smart Card etc.;
• Leaving confidential/sensitive files out;
• Giving out inappropriate personal data over the telephone;
• Positioning PC screens where information could be viewed by the
public;
Example 1 - An employee with access to a centralised database on Medway
accesses her daughter’s boyfriend’s records to ascertain if he has any
medical conditions for e.g. GUM data. The employee has no legitimate
business need to view the documentation and is not authorised to do so.
The staff employee is in breach of the Trust’s IT and Information Security
Policy invoking staff disciplinary procedures.
This category covers any information which has been disclosed to or sent to
an incorrect and unauthorised party or organisation. Examples include:• Letters and correspondence sent to the wrong person;
• Sending personal identifiable data externally by insecure email (i.e.
not using a NHSmail account to another NHSmail account or a ghnt
account to another ghnt account) and not using a password
protected attachment when appropriate;
• Inclusion of letters and information relating to other data subjects
in error;
• Failure to redact personal information that is being supplied to third
parties;
• Verbal disclosures made in error;
• Emails and faxes being sent to the wrong person or organisation;
• Mail merging errors which have led to incorrect individuals receiving
personal data;
This covers the loss or theft of personal data losses on portable devices such
as:• Laptops/Tablets;
• Ipads/Ipods;
• Mobile phones containing personal data;
• Memory cards;
• Hard drives/servers;
• Any mobile device containing personal data;
The loss or theft can take place on or off the Trust’s premises. For example
the theft of a laptop from an employee’s home or car, or a loss of a portable
device whilst travelling on public transport would be covered by this
category. Unencrypted devices are a particular risk to the Trust.
This refers to any loss or stolen data in paper format which would be
considered personal data for e.g.:• Medical files;
• Letters;
• Rotas;
The Reporting of Serious IG Incidents Policy v1
16
The Altering and
Corruption of Data
Non Secure Disposal of
Paperwork
Lost in Transit
Inappropriate Disclosures
on Media
Non Secure Disposal of
Hardware
• Ward handover sheets;
• Employee records;
• Work diaries (if it contains personal data about individuals);
The loss can take place on the Trust’s premises or from an employee’s home
or car or whilst travelling on public transport for e.g. the bus or train etc.
This category covers the avoidable or foreseeable corruption and tampering
of data which can have quantifiable consequences for the affected
individuals concerned for e.g. the disruption of care or adverse clinical
outcomes. Examples include:• Staff altering or changing data in patient/staff records;
• The corruption of a file which renders the data inaccessible;
• The inability of a person to recover a file due to its format
being obsolete or access controls not being accessible for e.g.
the loss of a password or encryption key;
The failure to not return confidential paperwork back to work premises or
to dispose of personal data inappropriately can cause catastrophic
consequences for the Trust. Examples include:• Personal data disposed in normal waste bins;
• Personal data/files taken to recycling banks for disposal;
• Data sent to landfill for recycling purposes. (This would include
refuse mix up’s in which personal data is placed in the general
waste);
• Failure to use confidential bins on site;
• The failure of contractors to remove and destroy personal data
securely;
This is the loss of any data for e.g. CD’s, tapes, DVD’s, paper records or
portable media whilst in transit from one business area to another location.
It may include:• Data lost by a courier;
• Data lost in the general post for e.g. internal post or Royal
Mail;
• Data lost whilst on site but in situ between premises/buildings
or departments;
• Data lost whilst being hand delivered, whether that be by an
employee, a contractor or another third party acting behalf of the
Trust;
It does not however include work taken home by a member of staff for the
purposes of homeworking or similar.
This category relates to personal data uploaded onto websites and social
media which is not considered appropriate or has not been consented to by
the individual(s) concerned. Examples include:• The failure to acquire a person’s consent to upload personal data to
website pages etc.;
• The failure to redact personal data from any upload;
• Uploading incorrect information;
• Failure to adhere to the principles of the Data Protection Act 1998.
The failure to not abide by appropriate security standards when disposing of
assets that contain personal data. Examples include:• The failure to securely wipe hardware drives prior to destruction or
removal;
• The failure to destroy hardware in line with appropriate industry
standards;
• The resale of equipment with personal data still left on the device;
The Reporting of Serious IG Incidents Policy v1
17
Technical Failures
Other
This category concentrates on technical measures that the Trust should take
to prevent an IG incident from occurring. Examples include:• Failure to secure systems from inappropriate/malicious access;
• Failure to build website/access portals to appropriate technical
standards;
• The storage of data alongside other personal identifiers which is in
defiance of industry best practice;
• Failure to protect internal file sources from accidental /
unwarranted access (for example failure to secure shared file
spaces);
• Failure to implement appropriate controls for remote system access
for employees (for example when working from home).
With respect to successful hacking attempts, the ICO’s interest would be to
determine whether the Trust had adequate technical security controls in
place to mitigate the risk of it happening.
This category is designed to capture other issues that do not cover the
forementioned:• The failure to decommission a former premises by removing
personal data appropriately;
• The sale or recycling of office equipment such as filing cabinets)
later found to contain personal data;
• Inadequate controls around physical employee access to data
leading to the insecure storage of files (for example the failure to
implement a clear desk policy or a lack of secure cabinets).
• Failure to put adequate measures in place for the transfer of
personal data overseas;
• The unfair processing of personal data;
• Failure to maintain adequate and relevant records.
The Reporting of Serious IG Incidents Policy v1
18
Appendix 2: IG SIRI Process
The Reporting of Serious IG Incidents Policy v1
19
Appendix 3: Examples to Demonstrate the IG SIRI Severity Assessment Score
Example 1
Baseline scale factor
Sensitivity factors
A member of staff has access to digital health records as per her job role.
Her daughter has recently started dating an older man. The employee has
been caught accessing his records, including 5 members of this family.
The main record included a reference to a recent STD.
0
+1 Detailed information at risk e.g. clinical/care case notes, social care
+1 High risk confidential information
+1 Failure to implement, enforce or follow appropriate organisational or
technical safeguards to protect information
+1 Individuals affected are likely to suffer substantial damage or distress,
including significant embarrassment or detriment
Final scale point 4 so this is a level 2 reportable SIRI
Example 2
A ward handover sheet containing sensitive personal details of 15
patients from a mental health inpatient ward was found by a member of
the public and handed back into the Trust. The gentleman who found the
handover sheet said that he found it on the road outside his house. The
sheet contained the patient's full name, hospital number and a brief
description of their current condition.
Baseline scale factor
1
Sensitivity factors
+1 High risk confidential information
+1 Failure to implement, enforce or follow appropriate organisational or
technical safeguards to protect information
Final scale point 3 so this is a level 2 reportable SIRI
Example 3
A member of staff reports that the complete paper health records of two
of his patients have been inadvertently disposed of. He was working on
the records at home when the envelope they were in was thrown into
the recycling bin by accident. The bin has been emptied. The clinician
works for the Child and Adolescent Mental Health Service.
Baseline scale factor
0
Sensitivity factors
+1 High risk confidential information
+1 Failure to implement, enforce or follow appropriate organisational or
technical safeguards to protect information
Final scale point 2 so this is a level 2 reportable SIRI
Example 4
Information about a child and the circumstances of an associated child
protection plan has been faxed to the wrong address.
Baseline scale factor
0
Sensitivity factors
-1 No clinical data at risk
+1 Sensitive information
+1 Information may cause distress
Final scale point 3 so this is a level 2 reportable SIRI
Example 5
Subsequent to incident 4, the same error is made again and the recipient
this time informs the Trust she has complained to the ICO.
Baseline scale factor
Sensitivity factors
0
-1 No clinical data at risk
The Reporting of Serious IG Incidents Policy v1
20
+1 Sensitive information
+1 Information may cause distress
+1 Repeat incident
+1 Complaint to ICO
Final scale point 3 so this is a level 2 reportable SIRI
Example 6
Two diaries containing information relating to the care of 240 midwifery
patients were stolen from a nurse’s car.
Baseline scale factor
2
Sensitivity factors
0 Limited clinical information
Final scale point 2 so this is a level 2 reportable SIRI
Example 7
An imaging system supplier has been extracting PID. A range of data
items including names and some clinical data and images have been
transferred to the USA but are held securely. No third party has received
any data.
Baseline scale factor
3
Sensitivity factors
-1 Limited demographic data
0 Limited clinical information
-1 Data held securely
+1 Sensitive images
+1 Data sent to USA deemed newsworthy
Final scale point 3 so this is a level 2 reportable SIRI
Example 8
It is discovered that a patient’s medical records are lost following the
submission of a subject access request.
Baseline scale factor
0
Sensitivity factors
+1 Detailed information at risk
+1 Patient distressed
+1 Patient compliant to the ICO
Final scale point 3 so this is a level 2 reportable SIRI
The Reporting of Serious IG Incidents Policy v1
21
Appendix 4: IG SIRI Investigation Checklist Report
This checklist will form the basis of the IG SIRI internal investigation:Req.
Actions to be Taken
No.
Type of Incident
1.
Breach type i.e. theft, accidental loss,
inappropriate disclosure, procedural failure
etc.
Information Provided
Please provide details of the incident.
2.
Breach type category (i.e. is it a patient
confidentiality or data security breach).
Details of the Incident
3.
Name of the patient(s) involved (if applicable).
4
Patient’s address (if applicable).
5.
Date, time and location of the incident.
6.
7.
Date the incident was reported via Datix.
Staff employee who reported the incident.
Please provide staff contact details.
8.
Service/Department affected by the incident.
9.
Name of IAO for the department.
10.
Name of IAA for the department.
11.
The number of patients/service
users/staff (individual data subjects)
involved.
12.
The data sets (i.e. information) lost, tampered
or disclosed in error.
13.
The number of records involved.
14.
The format of the records (paper or
digital).
Data Security
15.
If digital format, was the device or hardware
encrypted or not encrypted.
16.
Where applicable was the device
password and login protected. Please confirm
the password was not enclosed with the
device.
17.
Is the actual data recoverable for e.g. was
the device backed up and can the data be
The Reporting of Serious IG Incidents Policy v1
22
18.
19.
recovered.
Can the data be wiped from the device
centrally?
What steps have been or will be taken to
recover records/data (if applicable).
Risk Management
20.
Whether there are any consequent risks
of the incident (e.g. patient safety,
continuity of treatment etc.) and how
these will be managed.
21.
Is the IG SIRI is in the public domain?
22.
Are the media (press etc.) involved or is there
the potential for media interest?
23.
Will the SIRI damage the reputation of an
individual, a work-team, the Trust, an
organisation or the Health or Adult
Social Care Sector (HSCIC)?
24.
Are there any legal implications to consider?
Reporting
25.
Has the incident been reported to the ICO, the
DoH, the HSCIC or any other statutory body?
This must be done within 24 hours of the event
occurring.
26.
What is the initial assessment of the severity
level of the IG SIRI (see the section 12 of the
policy to calculate this).
27.
Have the following Trust roles been informed
of the incident regardless of whether it is
formally or informally:• The Information Governance Lead
• The IT and Information Security
Manager
• Head of IT
• Health Records Manager
• The SIRO
• The Caldicott Guardian
• The Deputy Director of Informatics
• Head of Information and Data Quality
• The relevant service IAO and IAA
• The IT Help Desk
• The Communications Manager (where
media interest exists)
• Security Manager/Specialist
28.
Have the data subjects involved in the breach
been informed formally?
29.
If the incident is a crime has it been reported to
the Police and what is the crime report
number/reference? All crime incidents must be
The Reporting of Serious IG Incidents Policy v1
23
reported to the Police within 24 hours of any
incident occurring.
30.
Was the investigation completed within 5
working days as expected by the HSCIC?
Staff Issues
31.
What type of staff were involved in the
incident i.e. permanent, contractors, casual
staff.
32.
If casual or contract, did the individual(s)
receive the appropriate training during their
induction process?
33.
If the incident was serious was immediate
action taken, including whether to suspend
staff pending the results of an investigation?
34.
Have any staff contracts been terminated?
Contracts/Suppliers
35.
Were any contractors/suppliers involved in the
incident
36.
Is the service covered by an agreement?
37.
Were any risk assessments undertaken prior to
the agreement being made with the
contractor/supplier?
38.
Where appropriate, has the contract been
suspended or terminated?
Lessons Learned
39.
Has an action plan been drawn up for the
relevant IAO/IAA to ensure the area does not
incur the repeated SIRI incident?
40.
Have the lessons learned been identified and
highlighted in any reporting or improvement
plans?
Any further comments relevant to the incident should be stipulated in the box below:-
__________________________________________________________________
For Office Use Only
SIRI Investigator:………………………………………….. Signature: …………………………......
Job Title: …………………………………………………….
Date: …………………………………….
Department:………………………………………………………………………………………….............
The Reporting of Serious IG Incidents Policy v1
24
Appendix 5: Action Plan to Mitigate Risks Involved in the IG SIRI
Information Risk
The Reporting of Serious IG Incidents Policy v1
Control
Action Required
Issues
25
Appendix 6:
Useful Contacts for Potential IG SIRIs
Role
Information Governance Lead
Health Records Manager
IT and Information Security Manager and IT
Help Desk
Head of Information and Data Quality
Head of IT
Deputy Director of Informatics
Head of Risk Management
SIRO
Caldicott Guardian
Communication Team
The Reporting of Serious IG Incidents Policy v1
Name of Person
Marie Galloway
Mark Smith
Derek Prudhoe
Ext.
(0191 445 +
Ext.)
5680
2161
2397
Michelle Conroy
Mhairi Rooney
Nick Black
Sue Winn
John Maddison
Keith Godfrey
Ross Wigham
3230
2552
6204
2338
6101
5637
6120
26

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz