Policy: IG01. Information Governance Incident Reporting Policy. n/a. Date ratified: 16 th April 2014

Transcription

1 Policy: IG01 Information Governance Incident Reporting Policy Version: IG01/01 Ratified by: Trust Management Team Date ratified: 16 th April 2014 Title of Author: Head of Governance Title of responsible Director Medical Director Governance Committee Trust Information and Governance Group Date issued: 17 th April 2014 Review date: January 2017 Target audience: All Staff Disclosure Status Can be disclosed to patients and the public EIA / Sustainability n/a Implementation Plan Other Related Procedure or Documents: West London Mental Health NHS Trust Page 1 of 21

2 Equality & Diversity statement The Trust strives to ensure its policies are accessible, appropriate and inclusive for all. Therefore all policies will be required to undergo an Equality Impact Assessment and will only be approved once this process has been completed Sustainable Development Statement The Trust aims to ensure its policies consider and minimise the sustainable development impacts of its activities. All policies are therefore required to undergo a Sustainable Development Impact Assessment to ensure that the financial, environmental and social implications have been considered. Policies will only be approved once this process has been completed West London Mental Health NHS Trust Page 2 of 21

3 IG01 Information Governance Incident Reporting Policy Version Control Sheet Version Date Title of Author Status Comment IG01/01 Head of Governance Under consultation Trustwide consultation ending Approved at April 2014 TMT West London Mental Health NHS Trust Page 3 of 21

4 Content Page 1 Flowchart 5 2 Introduction (includes purpose) 6 3 Scope 6 4 Definitions Duties Chief Executive Accountable Director Senior Information Risk Owner Managers Policy Author Local Policy Leads Information Governance Manager Systems and Recording 8 7 Background to Information Security Incidents 8 8 What is a SIRI 12 9 Assurance Process Penalties Training Implementation Fraud Statement References Supporting documents Glossary of Terms/Acronyms Appendix 1 Breach Types Appendix 2 Monitoring Template West London Mental Health NHS Trust Page 4 of 21

5 1. INFORMATION GOVERNANCE REPORTING POLICY FLOWCHART Information Governance Incident Reporting Process IG Incident Occurs Incident Recorded on the Exchange IR1 system Within 24hrs IG Manager assesses IR1 using HSCIC Checklist Guidance IR1 approved in line with I8 Policy. IG Incident Level 2 IG Incident Level 0 or 1 (For HSS Only) IR1 is a potential SI, reportable on StEIS. SIRO, Caldicott Guardian & Head of Governance Informed In line with I8 Policy IR1 becomes a potential SI, reportable on StEIS. In line with I8 Policy IR1 causative factors and actions to be discussed and managed at local team level Within 48hrs SI Notification forwarded to SI Manager to record on StEIS (for HSS only) IG Manager logs incident on IG Toolkit SI Notification or 24hr report forwarded to SI Manager to record on StEIS. If IG SIRI downgraded to Level 0 or 1 then IG Manager to close off on IG Toolkit and managed in line with I8 Policy Within 72hrs Head of Governance initiates IG Incident Response Plan IG Incident reviewed in line with I8 Policy Incident Reporting Matrix Completed Local Team Review, Grade 1 or Grade 2 Report completed within agreed timeframe Action Plan Outcomes, Sign off and Monitoring Final report and lessons learned reported to TMT & TRIGG Incident updated & closed off on IG Toolkit by IG Manager Final report to SI Manager & NHS London West London Mental Health NHS Trust Page 5 of 21

6 2. INTRODUCTION 2.1 The purpose of this document is to set out a clear process within the Trust for management of the new requirement within the IG Toolkit for reporting Information Governance Serious Incidents Requiring Investigation (IG SIRI), and:- 3. SCOPE To ensure that all significant information governance and security incidents are reported, risk assessed and any subsequent investigations and/or actions carried out. To support the risk management framework in which information risks will be identified, assessed and addressed; To embed an open culture of information security incident reporting and management within WLMHT. Assist in safeguarding the Trust s information assets and information flows. Meet legal and regulatory compliance obligations. 3.1 All incidents surrounding Trust administrative and business activities that can be regarded as being information governance and security related. 3.2 This procedure applies to all staff employed within the Trust on either permanent or temporary contracts, as an agency member of staff or as a volunteer. All staff are expected to be aware of this policy, to understand their responsibilities and to follow the guidance contained within this policy. 4. DEFINITIONS 4.1 Information Governance Information Governance provides a framework to bring together all the legal rules, guidance and best practice that apply to the handling of information. 4.2 Breach Please see appendix Information Governance Toolkit - The Information Governance Incident Reporting Toolkit is an online product hosted on the secure Information Governance Toolkit website. 4.4 IR1 Is the incident reporting form available on the exchange. 4.5 StEIS - Strategic Executive Information System is the national database where serious incidents for investigation are reported. 4.6 Serious Incident something out of the ordinary or unexpected with the potential or actual causing harm, and/or likely to attract public and media attention. West London Mental Health NHS Trust Page 6 of 21

7 5. DUTIES 5.1 Chief Executive The Chief Executive is responsible for ensuring that the Trust has policies in place and complies with its legal and regulatory obligations. 5.2 Accountable Director The Trust s Medical Director (Caldicott Guardian) has responsibility for Information Governance assurance. 5.3 The Senior Information Risk Owner SIRO The Director of Finance & Information is the Trust s SIRO whose responsibilities can be summarised as: 5.4 Managers Leading and fostering a culture that values, protects and uses information for the success of the organisation and benefit of its customers Owning the organisation s overall information risk policy and risk assessment processes and ensuring they are implemented consistently by IAOs Advising the Chief Executive or relevant accounting officer on the information risk aspects of his/her statement on internal controls Owning the organisation s information incident management framework Managers are responsible for ensuring that this policy is communicated to their teams / staff. They are responsible for ensuring staff attend relevant Information Governance training and adhere to the requirements of the process outlined in this policy. They are also responsible for ensuring policies applicable to their services are implemented. All managers and staff are expected to be aware of the IG requirements that apply to them, to comply with legal requirements and requests and instructions from the Information Governance Manager and to assign appropriate priority to them. 5.5 Policy Author Policy Author is responsible for the development or review of this policy as well as ensuring the implementation and monitoring is communicated effectively throughout the Trust via CSU / Directorate leads and that monitoring arrangements are robust. 5.6 Local Policy Leads Local policy leads are responsible for ensuring that this policy is communicated and implemented within their CSU / Directorate as well as co-ordinating and West London Mental Health NHS Trust Page 7 of 21

8 systematically filing monitoring reports. Areas of poor performance should be raised at the CSU / Directorate SMT meetings. 5.7 The Information Governance Lead The Information Governance Manager is the Trust s Information Governance Lead and is responsible for co-ordinating the annual assessment of organisational compliance and providing guidance and advice on the application of Information Governance, updating and completing the IG toolkit and the reporting of IG incidents onto the IG toolkit reporting system. 6. SYSTEMS / DOCUMENTATION 6.1 Where Recorded: IR1 reporting system (using information breach category) StEIS database IG toolkit reporting system Action zone 6.2 Recorded by (name/title): Information Governance manager Serious Incident Manager Incident Manager Staff/ managers 6.3 When recorded (date): As required 7. BACKGROUND TO INFORMATION SECURITY INCIDENTS 7.1 What are classed as information security incidents? There are two classes: A breach of confidentiality affecting one or more service users or members of staff. Loss of person identifiable data by any means. Person identifiable data contains person name and/or other items of data that could singly or compositely identify the person to whom it relates. NB This includes staff as well as service user data. Examples are: West London Mental Health NHS Trust Page 8 of 21

9 Sharing person identifiable data with others who have no legitimate right to know about it Attempting to gain access to person identifiable data when you have no legitimate right to access it Leaving person identifiable data insecure, i.e. not locking it away or failing to lock or log out of your computer when it is being displayed, when you are absent from your work area Sharing passwords Sharing Smartcards Sharing user accounts Sending person identifiable data to the wrong recipient by any transport medium Sending person identifiable data externally by insecure i.e. not using your NHSmail account or not using a password protected attachment Losing or having had stolen your laptop, Trust issued PDA, Smartphone or USB memory stick where it is holding person identifiable data. 7.2 Procedure What is the IG Incident reporting Tool? The Information Governance Incident Reporting Tool is an online product hosted on the secure Information Governance Toolkit website. It is the Department of Health (DH) and Information Commissioner s Office agreed solution for reporting personal data security breaches. Organisations can only see incidents recorded against their organisation code. They cannot view other incidents until information is published on the Information Governance Toolkit website. 7.3 Internal Reporting of Information Governance & Security Incidents Information governance and security incidents must be reported onto the IR1 incident reporting system by the staff member identifying the incident, and/ or the manager of the service area When reporting such incidents you need to ensure you select Information breach of confidentiality from the incident category drop down menu. This is to ensure the IG Manager receives the notification from the exchange informing them an incident has occurred The IG Manager will then contact the department concerned to discuss the incident Once an incident has been reported you need to ensure you follow due process as outlined in the Incident Reporting & Management Policy (I8). West London Mental Health NHS Trust Page 9 of 21

10 8. WHAT IS A SIRI? 8.1 What is a Serious Incident? The Health and Social Care Information Centre state that there is no simple definition of a serious incident. What may at first appear to be of minor importance may, on further investigation, be found to be serious and vice versa. As a guide:- Any incident which involves actual or potential failure to meet the requirements of the Data Protection Act 1998 and/or the Common Law of Confidentiality. This includes unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data, information security breaches and inappropriate invasion of people s privacy. Such personal data breaches which could lead to identity fraud or have other significant impact on individuals. Applies irrespective of the media involved and includes both electronic media and paper records How to access IG Incident Reporting Tool The Information Governance Manager will have access to the Information Governance Incident Reporting Tool via the secure website How to log an IG SIRI The Information Governance Manager will be notified of all incidents via the IR1 reporting system and through reporting of Serious Incidents which are related to Information Governance. The Information Governance Manager will undertake an assessment by using the Health and Social Care Information Centre checklist guidance. Incidents scored as a Level 2 or above will be treated as a Serious Incident and will follow the Trust s Incident Reporting and Management Policy (I8). The Information Governance Manager will contact the relevant service manager to instigate a root cause analysis report using the template within the Trust s Incident Reporting and Management Policy ( I8) Monitoring Action Plans Action plans will be developed by the review team in conjunction with the Information Governance Manager. West London Mental Health NHS Trust Page 10 of 21

11 Action plans will be monitored via the Trust Information Governance Group and the Trust s Incident Review Group. The Trust Information Governance Group will be provided with quarterly reports of all IG SIRIs Closed SIRIs All information recorded under a Closed IG SIRI on the Information Governance Toolkit Incident Reporting Tool will be published quarterly by the Health and Social Care Information Centre. Other IG SIRIs marked as Open, Withdrawn or Duplicate will not be published by the HSCIC Lessons Leant Flow Chart All lessons learnt from SIRI will be discussed at the Trust Information Governance Group, the Trust s Incident Review Group, the Trust s Learning Lessons event and will be disseminated across the organisation using established communication processes. Please refer to section 1 for the flow chart which details the process to be followed within the Trust. 8.2 External reporting of information governance and security Incidents New mandated guidance came into force on 1st June 2013 and all information governance and security incidents must be reported through the Information Governance Toolkit when categorised at a level On a quarterly basis the Health and Social Care Information Centre (HSCIC) will report all closed level 2 IG SIRI (serious incident requiring investigation) incidents on their public website. 8.3 Categorising information governance and security incidents Within the new checklist it details how the Trust is to categorise an incident, please see section and appendix On receiving a notification from the exchange that an IG incident has occurred, the Information Governance Manager will undertake an initial assessment, using the Health and Social Care Information Centre IG SIRI categorisation. West London Mental Health NHS Trust Page 11 of 21

12 8.3.3 If the incident is not categorised as a level 2 the team will follow normal practice using the incident reporting process However, if an incident is categorised as a level 2 the IG Manager will contact the Medical Director and Senior Information Risk Owner within 24 hours The Information Governance group will decide whether the categorisation at a level 2 is confirmed and agree the investigation that is required. The Information Governance Manager will detail this decision in the IG SIRI Incident Log and record the incident on the Information Governance Tool kit in the Incident Reporting section. This means the incident is formally reported through this mechanism and onto the Information Commissioner s Office, using the StEIS / IR1 ID number as a reference for internal processes Please see process flow for a level 2 incident The Head of Governance is then notified of the incident confirmed as an IG level 2, and now a serious incident. The Head of Governance will follow due process using the Serious Incident Process as outlined in the I8 policy The team affected by the incident will also be notified by the IG Manager the incident is now an SI. IG Manager will be kept appropriately briefed as the SI investigation proceeds by the team affected. 9. ASSURANCE PROCESS 9.1 Assessing the Severity of the Incident Although the primary factors for assessing the severity level are the numbers of individual data subjects affected, the potential for media interest, and the potential for reputational damage, other factors may indicate that a higher rating is warranted, for example the potential for litigation or significant distress or damage to the data subject(s) and other personal data breaches of the Data Protection Act As more information becomes available, the IG SIRI Ievel should be re-assessed Where the numbers of individuals that are potentially impacted by an incident are unknown, a sensible view of the likely worst case should inform the assessment of the SIRI Ievel. When more accurate information is determined the level should be reassessed as quickly as possible AII IG SIRIs entered onto the IG Toolkit Incident Reporting Tool, reaching severity level 2, will trigger an automated notification to the Department of Health, Health and Social Care Information Centre and the Information Commissioner's Office, in the first instance and to other regulators as appropriate The IG Incident reporting tool works on the basis that there are two factors when calculating the severity of an incident, these are:- West London Mental Health NHS Trust Page 12 of 21

13 Scale Sensitivity. 9.2 Scale Factors Whilst any IG SIRI is a potentially a very serious matter, the number of individuals that might potentially suffer distress, harm or other detriment is clearly an important factor. The scale (noted under step 1 below) provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors. 9.3 Sensitivity Factors Sensitivity in this context may cover a wide range of different considerations and each incident may have a range of characteristics, some of which may raise the categorisation of an incident and some of which may lower it. The same incident may have characteristics that do both, potentially cancelling each other out. For the purpose of IG SIRis sensitivity factors may be: Categorising SIRIs i. Low- reduces the base categorisation ii. Medium - has no effect on the base categorisation iii. High- increases the base categorisation The IG SIRI category is determined by the context, scale and sensitivity. Every incident can be categorised as level: 1. Confirmed IG SIRI but no need to report to ICO, DH and other central bodies. 2. Confirmed IG SIRI that must be reported to ICO, DH and other central bodies. A further category of IG SIRI is also possible and should be used in incident closure where it is determined that it was a near miss or the incident is found to have been mistakenly reported: Near miss / non-event Where an IG SIRI has found not to have occurred or severity is reduced due to fortunate events which were not part of pre-planned controls this should be recorded as a "near miss" to enable lessons learned activities to take place and appropriate recording of the event. The following process should be followed to categorise an IG SIRI Step 1: Establish the scale of the incident. If this is not known it will be necessary to estimate the maximum potential scale point. West London Mental Health NHS Trust Page 13 of 21

14 Baseline Scale 0 Information about less than 10 individuals 1 Information about individuals 1 Information about individuals 2 Information about individuals 2 Information about individuals 2 Information about 501-1,000 individuals 3 Information about 1,001-5,000 individuals 3 Information about 5,001-10,000 individuals 3 Information about 10, ,000 individuals 3 Information about 100,001 + individuals Step 2: Identify which sensitivity characteristics may apply and the baseline scale point will adjust accordingly. Sensitivity Factors (SF) modify baseline scale Low: For each of the following factors reduce the baseline score by for each No clinical data at risk Limited demographic data at risk eg. Address not included, name not included. Security controls/difficulty to access data partially mitigates risk. Medium: The following factors have no effect on baseline score. Basic demographic data at risk eg. equivalent to telephone directory. 0 Limited clinical information at risk eg. clinic attendance, ward handover sheet. High: For each of the following factors increase the baseline score by 1. Detailed clinical information at risk eg case notes Particularly sensitive information at risk eg HIV, STD, Mental Health, Children. One or more previous incidents of a similar type in past 12 months. Failure to securely encrypt mobile technology or other obvious security failing. + 1 Celebrity involved or other newsworthy aspects or media interest. for A complaint has been made to the Information Commissioner. each Individuals affected are likely to suffer significant distress or embarrassment. Individuals affected have been placed at risk of physical harm. Individuals affected may suffer significant detriment eg financial loss. Incident has incurred or risked incurring a clinical untoward incident. Step 3: Final Score 1 or less 2 or more Where adjusted scale indicates that the incident is level 2, the I Incident will be reported to the ICO and DH automatically via the IG Incident Reporting Tool. Level of SIRI Level 1 IG SIRI (Not reportable) Level 2 IG SIRI (Reportable) West London Mental Health NHS Trust Page 14 of 21

15 10. PENALTIES DPA PENALTIES AND THE ICO The ICO has several options when it finds an organisation in breach of the Data Protection Act: Monetary penalty notices: Fines of up to 500,000 for serious breaches of the DPA. Prosecutions and possible prison sentences for deliberate acts of breaching the DPA. Undertakings: Organisations have to commit to a particular course of action to improve their compliance and avoid further action from the ICO. Enforcement notices: Organisations in breach of legislation are required to take specific steps in order to comply with the law. Audit: The ICO has the authority to audit government departments without consent. The ICO can issue fines of up to 500,000 for serious breaches of the Data Protection Act and Privacy and Electronic Communications Regulations. The monetary penalty notices we have issued are published here. Data controllers have the right to appeal against a monetary penalty to the First-tier Tribunal (Information Rights). 11. TRAINING Induction Secondary Induction RCA Bespoke Incident training For full details of training please refer to the M12 policy Mandatory Training 12. IMPLEMENTATION 12.1 This policy will be disseminated via the Trust intranet (Exchange Policies and Procedures page) and policy manuals. West London Mental Health NHS Trust Page 15 of 21

16 12.2 This policy will be implemented via: CSU Incident Review Group meetings CSU governance meetings Trust Incident Review Group meetings Trust Information Governance Review Group Root Cause Analysis Training 12.3 This policy will be reviewed within a two year period, unless national guidance or legislation requires an earlier review. This policy will be reviewed by the Trust Management Team (TMT) and ratified by the Board This policy is monitored at the Trust Incident Review Group and the Trust Information Review Group via scorecards and reports of incidents and serious incident reviews including monitoring timescales of completion and quarterly reports on themes, trends, action plans and lessons learnt. (Full monitoring details can be found in appendix 2). 13. FRAUD STATEMENT Fraud within the NHS is unacceptable and diverts valuable resources away from patient care. Any concerns over deliberate misapplication of any policy should be reported to the Trust s Local Counter Fraud Specialist or Director of Finance or ring the National Fraud and Corruption reporting line on Please refer to the Trust s Counter Fraud Policy and Reporting Procedure (F2) for details. The Policy is available on the Trusts intranet. 14. REFERENCES (EXTERNAL DOCUMENTS) This policy should be read in conjunction with the following: Health & Social Care Information Centre (June 2013 V2) Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation. 15. SUPPORTING DOCUMENTS (TRUST DOCUMENTS) Incident Reporting and Management policy (I8) Information Governance Policy West London Mental Health NHS Trust Page 16 of 21

17 16. GLOSSARY OF TERMS / ACRONYMS CD CSU CQC DH DPA DVD FOIA GUM HIV HR H&S HSCIC HSE IAO ICO IG PDA PLACE MHA MHRA NHS NMC RCA SF SI SIRI SIRO SMT STD TMT USB WLMHT Compact Disc Clinical Service Unit Care Quality committee Department of Health Data Protection Act Digital Versatile Disc Freedom of Information Act Genito-urinary Medicine Human Immunodeficiency Virus Human Resources Health & Safety Health & Social Care Information Centre Health & Safety Executive Information Asset Owner Information Commissioners Office Information Governance Personal Digital Assistant Patient led Assessments of the Care Environment Mental Health Act Medicines and Healthcare Regulatory Agency National Health Service Nursing & Midwifery Council Root Cause Analysis Sensitivity Factors Serious Incident Serious Incident Requiring Investigation Senior Information Risk Owner Senior Management Team Sexually Transmitted Disease Trust Management Team Universal Serial Bus West London Mental Health Trust 17. APPENDICES Appendix 1 Breach Types Appendix 2 Monitoring Template West London Mental Health NHS Trust Page 17 of 21

18 APPENDIX 1 Breach Type Lost in Transit Examples / Incidents covered within this definition The loss of data (usually in paper format, but may also include CD s, tapes, DVD s or portable media) whilst in transit from one business area to another location. May include data that is; - Lost by a courier; - Lost in the general post (i.e. does not arrive at its intended destination); - Lost whilst on site but in situ between two separate premises / buildings or departments; - Lost whilst being hand delivered, whether that be by a member of the data controller s staff or a third party acting on their behalf. Generally speaking, lost in transit would not include data taken home by a member of staff for the purpose of home working or similar (please see lost or stolen hardware and lost or stolen paperwork for more information). Lost or stolen hardware The loss of data contained on fixed or portable hardware. May include; - Lost or stolen laptops; - Hard-drives; - Pen-drives; - Servers; - Cameras; - Mobile phones containing personal data; - Desk-tops / other fixed electronic equipment; - Imaging equipment containing personal data; - Tablets; - Any other portable or fixed devices containing personal data The loss or theft could take place on or off a data controller s premises. For example the theft of a laptop from an employee s home or car, or a loss of a portable device whilst travelling on public transport. Unencrypted devices are at particular risk. Lost or stolen paperwork The loss of data held in paper format. Would include any paper work lost or stolen which could be classified as personal data (i.e. is part of a relevant filing system/accessible record). Examples would include; - medical files; letters; - rotas; - ward handover sheets; - employee records The loss or theft could take place on or off a data controller s premises, so for example the theft of paperwork from an employee s home or car or a loss whilst they were travelling on public transport would be included in this category. Work diaries may also be included (where the information is arranged in such a way that it could be considered to be an accessible record / relevant filing system). Disclosed in error This category covers information which has been disclosed to the incorrect party or where it has been sent or otherwise provided to an individual or organisation West London Mental Health NHS Trust Page 18 of 21

19 Uploaded website in error to in error. This would include situations where the information itself hasn t actually been accessed. Examples include: Letters / correspondence / files sent to the incorrect individual; - Verbal disclosures made in error (however wilful inappropriate disclosures / disclosures made for personal or financial gain will fall within the s55 aspect of reporting); - Failure to redact personal data from documentation supplied to third parties; - Inclusion of information relating to other data subjects in error; - s or faxes sent to the incorrect individual or with the incorrect information attached; - Failure to blind carbon copy ( bcc ) s; - Mail merge / batching errors on mass mailing campaigns leading to the incorrect individuals receiving personal data; - Disclosure of data to a third party contractor / data processor who is not entitled to receive it This category is distinct from disclosure in error as it relates to information added to a website containing personal data which is not suitable for disclosure. It may include; Failures to carry out appropriate redactions; - Uploading the incorrect documentation; - The failure to remove hidden cells or pivot tables when uploading a spreadsheet; - Failure to consider / apply FOIA exemptions to personal data Non-secure disposal -hardware The failure to dispose of hardware containing personal data using appropriate technical and organisational means. It may include; - Failure to meet the contracting requirements of principle seven when employing a third party processor to carry out the removal / destruction of data; - Failure to securely wipe data ahead of destruction; - Failure to securely destroy hardware to appropriate industry standards; - Re-sale of equipment with personal data still intact / retrievable; - The provision of hardware for recycling with the data still intact Non-secure disposal - paperwork The failure to dispose of paperwork containing personal data to an appropriate technical and organisational standard. It may include; - Failure to meet the contracting requirements of principle seven when employing a third party processor to remove / destroy / recycle paper; - Failure to use confidential waste destruction facilities (including on site shredding); - Data sent to landfill / recycling intact (this would include refuse mix up s in which personal data is placed in the general waste); Technical security failing (including hacking) This category concentrates on the technical measures a data controller should take to prevent unauthorised processing and loss of data and would include: - Failure to appropriately secure systems from inappropriate / malicious access; - Failure to build website / access portals to appropriate technical standards; - The storage of data (such as CV3 numbers) alongside other personal identifiers in defiance of industry best practice; - Failure to protect internal file sources from accidental / unwarranted access (for example failure to secure shared file spaces); West London Mental Health NHS Trust Page 19 of 21

20 - Failure to implement appropriate controls for remote system access for employees (for example when working from home) In respect of successful hacking attempts, the ICO s interest is in whether there were adequate technical security controls in place to mitigate this risk Corruption or inability to recover electronic data Avoidable or foreseeable corruption of data or an issue which otherwise prevents access which has quantifiable consequences for the affected data subjects e.g. disruption of care / adverse clinical outcomes., for example; - The corruption of a file which renders the data inaccessible; - The inability to recover a file as its method / format of storage is obsolete; - The loss of a password, encryption key or the poor management of access controls leading to the data becoming inaccessible Unauthorised access/ disclosure The offence under section 55 of the DPA - wilful unauthorised access to, or disclosure of, personal data without the consent of the data controller. Example (1) An employee with admin access to a centralised database of patient details, accesses the records of her daughter s new boyfriend to ascertain whether he suffers from any serious medical conditions. The employee has no legitimate business need to view the documentation and is not authorised to do so. On learning that the data subject suffers from a GUM related medical condition, the employee than challenges him about his sexual history. Example (2) An employee with access to details of patients who have sought treatment following an accident, sells the details to a claims company who then use this information to facilitate lead generation within the personal injury claims market. The employee has no legitimate business need to view the documentation and has committed an offence in both accessing the information and in selling it on. A recent successful prosecution for a s55 offence: Other This category is designed to capture the small number of occasions on which a principle seven breach occurs which does not fall into the aforementioned categories. These may include: - Failure to decommission a former premises of the data controller by removing the personal data present; - The sale or recycling of office equipment (such as filing cabinets) later found to contain personal data; - Inadequate controls around physical employee access to data leading to the insecure storage of files (for example a failure to implement a clear desk policy or a lack of secure cabinets). This category also covers all aspects of the remaining data protection principles as follows: - Fair processing; - Adequacy, relevance and necessity; - Accuracy; - Retaining of records; - Overseas transfers West London Mental Health NHS Trust Page 20 of 21

21 APPENDIX 2 POLICY / PROCEDURE: Information Governance Incident Reporting Policy MONITORING MONITORING TEMPLATE Minimum Requirement to be Monitored Where described in policy WHO (which staff / team / dept) HOW MONITORED (Audit / process / report / scorecard) - list details HOW MANY RECORDS (No of records / % records) FREQUENCY (monthly / quarterly / annual) Duties Section 5 IG Manager Reports N/A Weekly Monthly How incidents are Graded Section 9 IG Manager Reports As required IG toolkit N/A Exchange StEIS How incidents are reported Sections 7 & 8 All staff IG toolkit Weekly Exchange N/A Monthly StEIS Quarterly How the organisation reports incident to external agencies How the organisation monitors compliance How the organisation trains staff Section 8 Section 11 Section 11 IG manager SI Manager IG manager SI Manager IG manager Incident Manager IG toolkit StEIS Reports IG toolkit StEIS Reports Training Records N/A N/A N/A Weekly Monthly Quarterly Weekly Monthly Quarterly Monthly REVIEW GROUP (which meeting / committee) TIRG TRIGG TIRG TRIGG TIRG TRIGG PS&S TIRG TRIGG PS&S TIRG TRIGG PS&S OUTCOME OF REVIEW / ACTION TAKEN (Action plan / escalate to higher meeting) How the organisation shares learning How the organisation monitors action plans Section 8 Section 8 IG Manager Comms IG manager SI Manager Newsletters Exchnge Reports Exchange N/A N/A Quarterly Monthly TIRG TRIGG PS&S TIRG TRIGG PS&S West London Mental Health NHS Trust Page 21 of 21