The GDPR defines a personal data breach as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'.
Personal data breaches1 can be categorised into:
- confidentiality breach, where there is an unauthorised or accidental disclosure of or access to personal data. This type of breach is most common with patients' records.
- availability breach, where there is an accidental or loss of access to or destruction of personal data. For example, the sort of problem that might arise after a cyberattack that prevented access to and/or destroyed records.
- integrity breach, where there is unauthorised or accidental alteration of personal data.
A data breach may involve all three categories, depending on the circumstances.
You must report a data breach to the ICO if it is likely to result in a risk to the rights and freedoms of individuals. These reports must be made without undue delay, and not later than 72 hours after you become aware of the breach.
An unaddressed data breach is likely to have a significant detrimental effect on individuals, and could result in discrimination, damage to reputation, financial loss, loss of confidentiality or other significant economic or social disadvantage.
Breach notification must include:
- the nature of personal data breach including:
- the categories and approximate number of individuals concerned
- categories and approximate number of personal data records concerned
- name and contact details of DPO or other contact point
- description of likely consequences of personal data breach
- description of measures taken or proposed to be taken to deal with personal data breach, including measures to mitigate possible adverse effects.
The GDPR states that you should inform the data subject if a breach is likely to result in a high risk to their rights and freedoms. This is a higher level of risk to that which triggers a notification to the ICO. An accidental disclosure of patient records, for example, is likely to produce a high risk to the rights and freedoms of patients, requiring you to inform the data subjects.
This is because of the significant impact on the affected patients due to the sensitivity of the data and the potential for confidential medical details to become known to others.
Failure to notify a breach appropriately can result in an administrative fine much higher than under the DPA. This could be up to €10 million or 2% of your global turnover.
You should make sure all staff are aware of what constitutes a data breach, and that it is not just loss of personal data. You should also have robust procedures in place to detect, investigate and report breaches.
GMC guidance on data breaches
In 'Good medical practice' (2013) the GMC says that you must be open and honest when things go wrong and explain fully and promptly what has happened. It would seem sensible to inform patients of any data breaches, even if it is not mandatory under the GDPR.
1 Guidelines on Personal data breach notification under Regulation 2016/679; Article 29 Data protection Working Party, adopted 3 October 2017
This guidance was correct at publication 14/02/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.