The incident reporting system (6.1.1)

Your organisation's plan or procedure should align to the Guide to the notification of data security and protection incidents.  It must state all staff are responsible for reporting data protection and security incidents. An effective incident reporting system will facilitate engagement by all staff members, and learn lessons from incidents. It is important that the organisational culture enables and supports the reporting of incidents and near misses. 

• potential and suspected disclosure of any information to unauthorised individuals
• loss or theft (attempted or actual) of paper records, data or IT equipment on which data is stored
• disruption to systems, clinical and business processes
• attempts to gain unauthorised access to computer systems, such as hacking
• altering or deleting records without appropriate authorisation
• viruses or other malicious malware attacks (suspected or actual)
• 'blagging' offences where information is obtained by deception, such as a caller impersonating a staff member or patient
• breaches of physical security, such as forcing of doors or windows into a secure room or filing cabinet containing sensitive information left unlocked in an accessible area
• leaving devices unlocked and unattended
• human error, such as emailing data by mistake
• covert or unauthorised recording of meetings and presentations
• damage or loss of information and equipment due to theft, fires, floods, failure of equipment or power surges
• deliberate leaking of information
• insider fraud
• systems unavailability that has a negative effect on service users/patients

To avoid confusion and maximise the speed of response to incidents, it is important that the reporting process is simple and clear.

Larger organisations may use a bespoke incident management IT system or software package. The data protection and security incident process should be integrated into this where possible. However, regardless of how incident reporting is conducted within your organisation, the process must capture the necessary information and appropriately manage the process in line with this DSPT guidance.

It is suggested that the approach below is taken and tailored to the specific size of your organisation, as well as what outsourced providers you have.

This could be by telephone, email or by entering onto a system. A telephone number, or for smaller organisations, a named individual or role contact is essential so that staff can immediately raise the alarm if needed even if the IT system is down, and obtain timely advice on immediate steps to be taken. This reporting point should be clearly displayed on IT systems (affixed to the front of monitors or displayed on the front page of staff intranets for instance) and on staff notice boards, as well as within the organisation’s general operating procedures. For notice boards and operating procedures, it is recommended that a short description of the types of data protection and security incident are listed to enable users to realise when an incident has occurred. This single reporting point will be required to assess the report.

 This should be no more than two pages but preferably only one page, with as few questions as possible. It should be in hard copy (in case the staff member cannot access the IT system the staff member is operating from) and should also be made available from the organisation’s IT system or intranet. The required information is suggested to include no more than:

• date
• location
• short summary of what occurred
• type of incident – such as email, lost USB device or paper
• whether personal data has been impacted
• contact details for obtaining further information
   

It is important that if there is a high risk to an individual(s) rights and freedoms due to a breach, they are appropriately informed.

Please see NHS Transformation Directorate guidance on personal data breaches.

There is not one prescribed method of reporting incidents. Organisations may want to centralise around one prescribed route,