Personal data breaches and related incidents

Health and care organisations hold data about you and are required by law to keep this information secure. This includes electronic and paper records.

However, accidents may occasionally happen, and your records could be impacted such as:

• being shared inappropriately, for example with another patient with the same name
• being mistakenly destroyed, for example being mixed up with a set of records that are due for destruction
• becoming unavailable, for example due to an IT system going down
• being changed so they become inaccurate, for example due to a glitch when a new IT system is installed

If this happens, steps will be taken to ensure that:

• it doesn’t happen again
• the risks to you and your care are minimised
• everyone learns from the mistake

If there is a breach to the security of your information and there is a high risk to your rights and freedoms, you should be informed by your health and care organisation. If there is a potential risk to you, your health and care organisation will also inform the Information Commissioner’s Office (ICO), for example, if your personal information was lost in a public place. Your health and care organisation may contact you directly, for example, by sending you an email or letter. Alternatively, they may put information on their website.

If you discover a potential personal data breach, you can contact the organisation who you think has caused the personal data breach and make a complaint through its complaints process. If you are dissatisfied with the outcome of your complaint, you can contact the Information Commissioner’s Office. The Information Commissioner's Office has provided advice and some wording to use if you are worried about how an organisation has handled your information.

Information security is the responsibility of each individual local health and care organisation, from GP practices to hospital trusts.

Ensuring health and care data is protected and used safely is a priority for health and care organisations. There are many safeguards in place to ensure that data is used across the health and care system in a safe, secure and legal way.

You are required by law to protect the personal or confidential patient information you use when providing care. This means ensuring it is only accessed by those that need it, providing only information required for that purpose, and ensuring you have consent or another legal basis to share the information.

What is a personal data breach?

There may be occasions when things go wrong. A personal data breach means an accidental or deliberate breach of security which leads to:

The loss or unlawful destruction of data

This could include, for example, health and care information that is accidently deleted as a result of an IT error.

Alteration of data

This could include a staff member accidently changing something in a patient or service user record. For example, changing a medication dosage from milligrams (mg) to grams (g).

Unauthorised disclosure

This could include an email containing information about a patient being sent to the wrong email address.

Unauthorised access

This could include criminals gaining unauthorised access to patient information through a cyber-attack on a health and care organisation.

Loss of access

This could include systems going down or being unavailable, for example due to a ransomware attack or hardware failures.

What to do if you think there has been a personal data breach or incident

If you become aware of a personal data breach or incident, such as a hardware failure, you should follow your organisation’s reporting procedure. Usually, this is in your IG or cyber security policy and will require you to report the incident via your organisation’s incident reporting process or tell your Data Protection Officer (DPO) if you are unsure what to do.

You should report a personal data breach or incident as soon as you become aware of it. Your report should set out what has happened and any steps you have taken. For example, "email containing the name, DOB and NHS number of a patient sent to the wrong Jane Smith on 5 March. Recalled the email and asked the recipient to delete it and they have confirmed this." You must contribute to any investigation carried out.

If you are unsure if a personal data breach or incident has occurred, you should still report it via your organisation’s incident reporting system. You should also consider whether you are required to report any "near miss" personal data breaches and incidents. A near miss is where a personal data breach or incident could have occurred if it had developed or been left. An example is leaving patient records unsecured in a main hospital corridor used by the public. Reporting near misses helps your organisation learn from potential mistakes and consider changes to ensure that information is kept secure.

Your organisation must have appropriate procedures in place to ensure that when a personal data breach or incident takes place, you are able to fulfil your obligations as a controller and uphold the rights of impacted individuals.

In addition to this guidance, please see NHS England’s ‘A just culture’ guide to understand how your organisation can embed ways of working to encourage timely reporting of security issues and learn lessons from them.

Relevant legislation

The Data Protection Act 2018 and UK GDPR place a legal duty on controllers to secure the personal data they process. They also make it a legal requirement for personal data breaches to be reported to the ICO unless they are unlikely to result in a risk to individuals’ rights and freedoms.

The Network and Information Systems (NIS) Regulations relate to the systems and networks of Operators of Essential Services (OES). Currently, these include:

• NHS trusts
• NHS foundation trusts
• integrated care boards (ICBs)
• certain independent providers of healthcare services

Under NIS regulations, GPs are not currently classed as an OES organisation.

The NIS Regulations define an incident as any event having an actual adverse effect on the security of network and information systems. Where there is an incident which involves a system or network which has a significant disruptive effect on health and care services, this may be reportable under these regulations via the Data Security and Protection Toolkit (DSPT). For example, an interruption to power supplies which affects medical equipment but does not affect health and care workers’ access to data. What starts as a NIS incident may become a personal data breach, and some incidents may have the characteristics of both.

Deciding on the severity of a personal data breach or an incident and whether it needs reporting

It is the responsibility of the controller to assess and decide whether a breach needs to be reported and to make the report where needed.

NHS England’s Guide to the Notification of Data Security and Protection Incidents is available from the DSPT incident reporting help page. It contains supporting information for when you should report personal data breaches and NIS incidents.

For personal data breaches, the guide contains a breach assessment grid with a risk score matrix, which helps you to determine the severity of a personal data breach and decide whether it needs to be reported. Further information is also available in the Department of Health and Social Care’s NIS guide.

For NIS incidents, the guide contains significant impact threshold tables which show the criteria for reporting incidents which disrupt health and care services.

1. Personal data breaches that result in a low score, where there is minimal risk to the impacted people, and incidents which do not meet the significant impact thresholds under NIS, may not need to be reported on the tool. You may however wish to voluntarily report the incident or personal data breach on the tool. You should report via your local incident reporting system low scoring breaches or incidents and any near misses (that is, where a breach or incident could have occurred if action hadn’t been taken). This will help you detect patterns and any local remedial action which needs to be taken, for example, updating procedures in response to an incident. You should also record your decision locally of why you decided to not report an incident via the Data Security and Protection Toolkit (DSPT) where applicable.
2. Any personal data breach that is likely to result in a risk to the rights and freedoms must be reported on the tool. The same is true for incidents that meet the significant impact thresholds under NIS.
3. Personal data breaches or incidents caused by someone processing data on your behalf must be reported by the controller of the data where required by the matrix. For example, if there was a personal data breach by a GP system supplier, the GP practice would need to report it. Processors are legally required to inform controllers of any personal data breach they become aware of.

How do I report a personal data breach or incident?

Personal data breaches or incidents should be reported using the reporting tool which can be accessed via the Data Security and Protection Toolkit. Once you are signed in, you should look for the “report an incident” menu link. The tool allows reporting in one place and details are passed by NHS England through the tool to the ICO and DHSC where required.

When reporting a personal data breach or an incident through the tool you will be asked to provide the following information:

• what has happened
• how did you find out
• when did you become aware
• was it caused by a problem with a network or information system
• what is the local ID of the incident
• when did the incident start
• is the incident still ongoing
• have data subjects been informed
• does the incident impact across a national border – if yes, have you notified any overseas authorities about the incident
• have you informed the police
• have you informed any other regulatory bodies
• has there been any media coverage (that you are aware of)
• what other actions have already been taken or are planned
• how many citizens are affected
• who is affected
• what is the likelihood that citizens’ rights have been affected
• what is the severity of the adverse effect

If the tool identifies from your answers that this was a potential NIS incident, you will additionally be asked:

• whether NHS healthcare services have been disrupted
• whether there has been any clinical harm or potential harm as a result of the incident

Answering these questions covers reporting requirements under data protection legislation and NIS regulations. The tool will then automatically report the personal data breach or incident to the ICO and the DHSC as required. You will receive notification from the ICO that the incident personal data breach has been logged with them. The ICO or DHSC may then contact you directly for further information.

You do not have to provide all the information at this stage as it might not be known. However, as you become aware of information relating to the personal data breach or incident, then you should provide this on an ongoing basis. You must also document and report any personal data breaches or incidents internally as the ICO may ask for this information as a way of verifying compliance with UK GDPR.

When should I report a breach?

If you decide a personal data breach or incident needs reporting, you should report it via the DSPT tool without undue delay, or in any case, within 72 hours (3 days) of becoming “aware”.

You may require a brief period in which to investigate to establish with a reasonable amount of confidence that a personal data breach or incident has occurred. It is at this point you have become "aware" of the personal data breach or incident and your 72 hour period starts. The time of the personal data breach or incident being reported may be different from the actual time of the situation starting. Within that 72 hour window, you can choose when to report. For example, you might spend the first 48 hours investigating the situation and putting in place remedial actions and then report the personal data breach or incident via the DSPT tool.

For urgent cyber security issues that require immediate advice and guidance, call the NHS data security helpline on 0300 303 5222 (available 24 hours per day). Even if an incident is not expected to meet the NIS incident thresholds or if it is unclear, seek support voluntarily from the NHS data security helpline as soon as practically possible so that the incident can be contained and further impacts on essential services mitigated. Where appropriate, NHS Cyber Operations will work with the National Cyber Security Centre to manage and resolve incidents.

Do I need to inform patients and service users about a personal data breach?

It is the responsibility of the controller to assess and decide whether individuals impacted need to be notified about a personal data breach. The tasks and responsibilities of both the controller and the processor, in connection with the notification of individuals following a data breach, should be defined and documented at contract stage.

Where there is a high risk to an individual’s rights and freedoms, you must contact those who are affected by the personal data breach. For example, where an individual’s name, date of birth and address has been breached due to using a third party processor who did not have adequate security in place, and identifiable data taken by the attacker, this could be used to commit identity fraud. This should be reported to the individuals who are impacted.

However, unless compelled to do so by the ICO, you do not need to inform patients or service users of a personal data breach if:

1. Appropriate organisational or technical measures were in place at the time the personal data breach occurred, which made the data unusable or inaccessible. For example, the data or device was encrypted by your IT department before it was stolen.
2. You have taken measures to ensure that any high risk impacts on the patient or service user are now unlikely to happen. For example, you have corrected the data you hold that was maliciously altered during a cyber attack.
3. Disproportionate effort would be needed to inform the patient or service users of the personal data breach. In which case, a public message on the website or in local newspapers alerting patients or service users to the personal data breach would suffice, provided there is enough detail to inform them about what has happened. An example of this might be where a personal data breach has occurred, but it is not possible (without disproportionate effort) to identify those affected, so a public message is sent out asking people to contact you if they think they have been affected.
4. Personal data is recovered (returned or securely destroyed) from a "trusted partner organisation." A trusted partner organisation could be the wrong department of your organisation. It could also be an organisation where you have an ongoing relationship, so you know their history and procedures. This could provide you with assurance that they will not read or access the data sent in error and comply with instructions to return it. Even if the data has been accessed, the controller could still possibly trust the recipient not to take any further action with it and to return the data to the controller promptly.

When informing an individual of a personal data breach, you should describe, in clear and plain English, the nature of the personal data breach and at least:

• the name and contact details of any DPOs you have, or other contact point where more information can be obtained
• a description of the likely consequences of the personal data breach
• a description of the measures taken or proposed, to deal with the personal data breach and, where appropriate, a description of the measures taken to mitigate any possible adverse effects

If possible, you should advise individuals on the steps they can take to protect themselves, and what you are willing to do to help them.

Here are letter templates for you to adapt and use if you wish:

Notification letter template (ODT, 17KB)

Follow-up letter template (ODT, 15KB)