A personal data breach is defined as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'.
Personal data breaches1 can be categorised into:
- confidentiality breach, where there is an unauthorised or accidental disclosure of or access to personal data. This type of breach is most common with patients' records.
- availability breach, where there is an accidental or loss of access to or destruction of personal data. For example, the sort of problem that might arise after a cyberattack that prevented access to and/or destroyed records.
- integrity breach, where there is unauthorised or accidental alteration of personal data.
A data breach may involve all three categories, depending on the circumstances.
Data Security and Protection Incident Reporting tool
All health service organisations in England must now use the Data Security and Protection Incident Reporting tool. This has been designed to identify those breaches that meet the threshold for notification. It will report relevant incidents to NHS Digital, the Department of Health, the ICO and other regulators.
If there is an urgent security related incident that requires immediate assistance and support you can contact the Data Security Centre helpdesk on 0300 303 5333 or firstname.lastname@example.org. Local incident management must still be carried out in the normal way.
You must report a data breach to the ICO using either the Data Security and Protection Reporting Tool in England, or the ICO breach reporting tool in Scotland, Wales and Northern Ireland if it is likely to result in a “risk to the rights and freedoms of individuals.
These reports must be made without undue delay, and not later than 72 hours after you become aware of the breach.
Breach notification must include:
- the nature of personal data breach including:
- the categories and approximate number of individuals concerned
- categories and approximate number of personal data records concerned
- name and contact details of DPO or other contact point
- description of likely consequences of personal data breach
- description of measures taken or proposed to be taken to deal with personal data breach, including measures to mitigate possible adverse effects.
The GDPR states that you should inform the data subject if a breach is likely to result in a high risk to their rights and freedoms. This is a higher level of risk to that which triggers a notification to the ICO but may well be met when considering data that refers to a persons health. For example, an accidental disclosure of patient records is likely to be considered as producing a high risk to the rights and freedoms of patients, requiring you to inform the data subject.
This is because of the significant impact on the affected patients due to the sensitivity of the data and the potential for confidential medical details to become known to others.
Failure to notify a breach appropriately can result in an administrative fine much higher than under the DPA. This could be up to €10 million or 2% of your global turnover.
You should make sure all staff are aware of what constitutes a data breach, and that it is not just loss of personal data. You should also have robust procedures in place to detect, investigate and report breaches.
GMC guidance on data breaches
In Good medical practice (2013), the GMC says that you must be open and honest when things go wrong and explain fully and promptly what has happened. It would seem sensible to inform patients of any data breaches, even if it is not mandatory under the GDPR.
1 Guidelines on Personal data breach notification under Regulation 2016/679; Article 29 Data protection Working Party, adopted 3 October 2017
This page was correct at publication on 09/11/2020. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.