Appendix 5: Data breach management

A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

UK GDPR introduces a duty on all organisations to investigate security incidents to establish whether a personal data breach has occurred. Therefore, a robust breach detection, investigation and internal reporting procedures need to be in place.

If a personal data breach has occurred, organisations need to promptly take steps to address this. This includes reporting certain types of personal data breaches to the relevant supervisory authority. In these cases, reporting must be done within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, organisations must also inform those individuals without delay. Organisations must keep a record of all personal data breaches regardless of whether or not these are reported to the supervisory authority.

Any breaches that also fulfil the criteria of a “Security of Network and Information Systems” (NIS), a notifiable incident will be forwarded to the DHSC. The Secretary of State is the competent authority for the implementation of the NIS directive in the health and social care sector. The ICO remains the national regulatory authority for the NIS directive.

The NHS England Data Security Standard 6: Guide to the Notification of Data Security and Protection Incidents sets out different types of breaches, when a breach is reportable and incident management & breach reporting process.

The guide is written for all organisations operating in the health and care sector. This includes organisations registered with the Care Quality Commission (CQC). It also includes organisations processing health and social care personal data under contract with the health and social care sector. This includes directly commissioned services and their support services.

For health and care organisations (or those organisations processing health and social care data under contract), breaches are reported using the Reporting Tool within the DSPT. Other organisations such as private health and social care services that are not contracted by a public-sector organisation and those parts of local government not delivering adult social care services can also use the Reporting Tool within the DSPT or report to the ICO directly. The ICO has produced some useful guides on their website which sets out a data breach management and reporting process.