Information risk and impacts to individuals following personal data breaches guidance for health and care professionals
This guidance provides detailed information on the potential negative impacts or risks associated with the breach of certain types of information and actions that may need to be taken
For guidance on steps that need to be taken if a breach occurs see our guidance on personal data breaches.
Personal data breaches and risks to individuals will be assessed by your local information governance (IG) team, data protection officer, Caldicott guardian or by the person in your organisation who is responsible for data protection and security.
You may be asked to advise on the vulnerabilities of certain individuals to allow the relevant people to make an assessment on the level of risk a breach poses to them.
Where a breach has a clinical impact, for example, because test results are unavailable due to a system outage, you may be asked to advise on the extent of clinical implications and should work closely with your wider organisation and incident response teams to mitigate any risks wherever possible.
You may also be asked to consider and advise on how an individual may be impacted by being notified of a data breach, for example, if this is likely to cause them significant distress. Your insight into the care and circumstances of the individual may be requested to inform the assessment of this risk to the individual, which may also involve discussion with your Caldicott guardian.
In certain circumstances, such as where the person impacted by the breach is considered vulnerable or there are other relevant circumstances, it may be more appropriate for a health or care professional to lead on communicating with individuals or their family/friends about a data breach. Where this is the case your IG team, or the person with responsibility for data protection in your organisation, will work closely with you to support the communication of appropriate information.
A personal data breach can cause significant distress to individuals and their families/friends. It is important that they are supported at that time. Those responsible for data protection within your organisations should be able to help you to understand the support available to individuals following a breach. Where a breach poses a risk to your relationship with an individual and potentially their care, for example if a patient or someone receiving care is refusing care because of a loss of trust, you should discuss this with your IG/data protection support and/or Caldicott guardian.
Last edited: 7 May 2026 4:47 pm