Part of Data Security Standard 6 - Responding to incidents
Incident management system (6.1.1)
Your organisation must have an incident management procedure that follows up on incidents after they have been reported. This ensures that, in line with the requirements in the process standard 5, lessons can be learned, processes can be improved and systems can be changed. An incident reporting system on its own is not sufficient to satisfy the requirements of the DSPT.
Investigation
The lead investigator should not be responsible for the system or process in question. It's recognised that segregation of duties is difficult in small organisations. The same person investigating as who reported is bad practice. Where possible, the same person responsible for a system or process in focus during the investigation should not lead the investigation itself.
Managing an incident
Dependent on the nature of the incident, it may need to be reported to other bodies in addition to being investigated. It may need reporting to other bodies. The following steps should be taken:
- Manage and respond the incident operationally (if appropriate) obtaining support from NHS England.
- Follow the incident reporting guide on the Data Security and Protection Toolkit (DSPT) and inform NHS England.
- Triage and assess the incident immediately to ensure compliance with the 72 hour reporting timeframe to the ICO if applicable. Consider whether personal data is involved, and the severity of the impact.
- Consider whether it is a large incident - for example a threat or vector incident that you have not seen before.
- Respond and then treat the incident. This may include applying immediate and longer term actions.
Report an incident
To report an urgent cyber security issue call 0300 303 5222.
For general data security centre queries, email [email protected].
Last edited: 17 April 2024 9:31 am