Part of Data Security Standard 6 - Responding to incidents
Notifying local leaders, national bodies and individuals of a data breach (6.1.2, 6.1.3)
If an incident is a potential personal data breach (under UK GDPR/DPA 18) it should be triaged in line with the DSPT Incident Reporting Guidance and through your incident reporting system.
If the breach meets the threshold, details will be sent to the ICO as the supervisory authority and, depending on impact and nature (such as a network and information systems (NIS) breach), the Department of Health and Social Care (DHSC) or NHS England.
Notification needs to take place within 72 hours of you becoming aware of the breach. It is important to understand the notification system within the DSPT. It is not an incident management system (as described earlier) but a reporting tool. Once an incident has been notified, interaction will be directly with the ICO (for example, you cannot alter an existing notified incident).
In the event of a personal data breach, your board (or equivalent) should be notified of the breach including any associated action plan, which should encompass dealing with the risks and impact of the incident and lessons learned (see Standard 5 Process).
If a breach results in a high risk to the rights and freedoms of individuals, the data subjects (such as patients or staff) involved will need to be informed.
You can also refer to further guidance on personal data breaches by the NHS Transformation Directorate.
Last edited: 26 September 2022 12:47 pm