Skip to main content

Personal data breaches and related incidents guidance for health and care professionals

This guidance is designed to help health and care organisations deal with personal data breaches and incidents, for example, losing personal information. It provides advice on what a personal data breach and related incidents are and the steps that need to be taken if a personal data breach or incident occurs.

Page contents

Information security is the responsibility of each individual local health and care organisation, from GP practices to hospital trusts.

Ensuring health and care data is protected and used safely is a priority for health and care organisations. There are many safeguards in place to ensure that data is used across the health and care system in a safe, secure and legal way.

You are required by law to protect the personal or confidential patient information you use when providing care. This means ensuring it is only accessed by those that need it, providing only information required for that purpose, and ensuring you have consent or another legal basis to share the information.

What is a personal data breach?

There may be occasions when things go wrong. A personal data breach means an accidental or deliberate breach of security which leads to:

The loss or unlawful destruction of data
The loss or unlawful destruction of data

This could include, for example, health and care information that is accidentally deleted as a result of an IT error.

Alteration of data
Alteration of data

This could include a staff member accidentally changing something in a patient or service user record. For example, changing a medication dosage from milligrams (mg) to grams (g).

Unauthorised disclosure
Unauthorised disclosure

This could include an email containing information about a patient being sent to the wrong email address.

Unauthorised access
Unauthorised access

This could include criminals gaining unauthorised access to patient information through a cyber-attack on a health and care organisation.

Loss of access
Loss of access

This could include systems going down or being unavailable, for example due to a ransomware attack or hardware failures.

What to do if you think there has been a personal data breach or incident

If you become aware of a personal data breach or incident, such as a hardware failure, you should follow your organisation’s reporting procedure. Usually, this is in your information governance (IG) or cyber security policy and will require you to report the incident via your organisation’s incident reporting process or tell your Data Protection Officer (DPO) if you are unsure what to do.

You should report a personal data breach or incident as soon as you become aware of it. Your report should set out what has happened and any steps you have taken. For example, "email containing the name, DOB and NHS number of a patient sent to the wrong Jane Smith on 5 March. Recalled the email and asked the recipient to delete it and they have confirmed this." You must contribute to any investigation carried out.

If you are unsure if a personal data breach or incident has occurred, you should still report it via your organisation’s incident reporting system. You should also consider whether you are required to report any "near miss" personal data breaches and incidents. A near miss is where a personal data breach or incident could have occurred if it had developed or been left. An example is leaving patient records unsecured in a main hospital corridor used by the public. Reporting near misses helps your organisation learn from potential mistakes and consider changes to ensure that information is kept secure.

Example

Personal data was accidentally made available online for a brief period of time. However, as soon as this was realised, the information was immediately taken down and it was established shortly after that the data wasn't accessed by anyone.

Guidance for patients and service users

Guidance for IG professionals

Last edited: 7 May 2026 4:51 pm