NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

Transcription

1 Information Governance Untoward Incident Reporting and Management Advice for Local Authorities March 2013

2 Contents Page 1. The Role of the NIGB Introduction Background Information The purpose of this document Identification of an Information Governance Untoward Incident Initial Reporting Determining the severity of the Information Governance Untoward Incident Managing the Incident Internal Communications External Communications Informing the Service User Informing the Information Commissioner s Office Media Management Informing others Containment and Recovery Investigation Evaluation Reporting...19 Appendix 1 - An example Information Governance Untoward Incident Checklist...22 Appendix 2 Department of Health severity rating matrix

3 1. The role of the NIGB The National Information Governance Board (NIGB) is an independent statutory advisory body established to promote, improve and monitor information governance in health and adult social care. The NIGB provides advice on the appropriate use, sharing and protection of patient and service user information. The NIGB also advises on the use of powers under Section 251 of the NHS Act 2006 and its associated regulations to permit the duty of confidentiality to be set aside, where other legal routes are not available. Information governance is the term used to describe the principles, processes, legal and ethical responsibilities for managing and handling information. It sets the requirements and standards that the NHS needs to achieve to ensure it fulfils its obligations to ensure that information is handled legally, securely, efficiently and effectively. The NIGB regards information governance as essential for the lawful and ethical use of patient and service user information both for the benefit of the individual to whom the information relates and for the public good. 2. Introduction The NIGB is concerned about the increasing number of information governance related incidents e.g. loss of confidential information about patients and service users, that are reported to the Information Commissioner by the NHS and Local Authorities. In each case the distress caused to the individual is significant, the duty of care owed to the individual is undermined and the publicity surrounding these incidents has a detrimental impact on the public s trust in the provision of confidential services. The definition of an information governance incident is: Any incident involving the actual or potential loss of personal information that could lead to identity fraud or have other significant impact on individuals should be considered as serious 1 The NIGB is also concerned that the policy and procedures for the effective management of an information governance incident differ across health and care sectors and so there are inconsistencies in the way in which organisations respond 1 DH Checklist for Reporting, Managing & Investigating Information Governance Serious Untoward Incidents 3

4 that may disadvantage the service user, particularly where that makes a difference to whether or not they are informed. It is also the NIGB s opinion that organisations are more likely to ensure that any systemic problems that put confidential information at risk of loss or unauthorised access are realised and addressed when lessons are shared and learned from actual and near-miss incidents. In order for organisations to take the appropriate steps to mitigate those risks, it is necessary to have a robust policy in place that outlines the procedures for dealing with an information governance incident. Reliable intelligence gathered from the processes to report, manage and investigate an information governance breach will enable an organisation to identify and analyse root causes, determine and implement remedial action, train staff appropriately and ensure that measures implemented are effective and personal data is adequately protected. It will also enable the organisation to manage the relationship with the service user in those circumstances fairly and equitably. NHS Organisations were mandated to implement measures for managing and reporting Information Governance Serious Untoward Incidents in Since then there has been a need for a consistent approach to the reporting, evaluation of the severity of a breach and management procedures for dealing with the incident. This includes the duty to inform the person whose information has been compromised as well as notifying the Information Commissioner. There is no comparable central mandate or guidance to specify how an information governance incident should be dealt with by a Local Authority. The NHS is also progressing towards implementing a duty of candour, which is written into the 2013/14 NHS Contracts and will it is anticipated become a part of the NHS Constitution and therefore applicable to all organisations and sectors providing health and care services. Under this duty, NHS organisations will be required to be open and tell patients about mistakes particularly where their safety has been compromised; apologise and ensure lessons are learned to prevent them from being repeated 3. The NIGB supported this proposal in our written response to the 2 Matthew Swindells letter of the 20th February 2008 (Gateway 9571) included guidance on the process for reporting Information Governance (IG) Serious Untoward Incidents and assessing their severity

5 Department of Health s consultation 4, as it is our view that patients should be informed because only the individual can make an accurate assessment of the risk of harm that might arise from a breach of confidentiality. It is also recognises the patient/service users position as a partner in the provision of health and care services. For these reasons we also believe that this duty should extend across all service providers and not just to those operating under a NHS contract. Local Authorities have internal procedures in place to report and manage untoward incidents, but those procedures are determined and implemented locally and may not include comparable duties to notify individual service users and the Information Commissioner, or enable a cross-organisational understanding of their information governance risks and their mitigation. The NIGB s recommendation to Local Authorities is to design and implement a policy for dealing with an information governance untoward incident that is comparable to those mandated and in operation within the NHS, in order to introduce a standardised system across all providers of health and care services. We consider the need for a common approach to be of particular importance where those services are integrated so that the patient/service user s rights are dealt with equally and fairly by all organisations involved in the care pathway. It will also enable the service provider to identify and address any weakness in their technical and organisational information security measures designed to protect service user information and contribute to the training and awareness of staff in their individual responsibilities when handling confidential information. This advice has been written to assist Local Authority Information Governance Officers with the design and implementation of an Information Governance Untoward Incident Policy and Procedure and for all staff who are responsible for the reporting, investigation and management of those incidents. The Information Commissioner s Office has produced guidance on data security breach management, which is available at 4 NIGB Response to the Department of Health s Duty of Candour consultation n%20jan% pdf 5

6 3. Background Information The 7 th Data Protection Act 1998 (DPA) principle requires a Data Controller 5 (an organisation) to have appropriate technical and organisational measures in place to keep personal data secure and protected against unauthorised or unlawful processing and to prevent its accidental disclosure, destruction, damage or loss. In particular an organisation is required to: design and organise security measures that are appropriate to the nature of the personal data held and the harm that may result from a security breach be clear about who is accountable for ensuring information security support the physical and technical security measures with clear and robust policies and procedures and ensure staff are suitably trained and aware of their responsibilities have procedures in place to detect and respond to any breach of information security swiftly and responsibly If an organisation s information security measures are inadequate, the risk of an information governance untoward incident occurring will be higher, but even an organisation that does have robust measures in place will not be immune from a data breach happening at some point. It will, however, make a difference when that breach is investigated, because the Data Controller will be able to demonstrate that it has taken appropriate organisational measures to comply with the 7 th principle rather than not. The Information Commissioner IC) is the Regulator for the Data Protection Act and has the lawful power to take action where a Data Controller is found to be failing to comply with the principles of the Act 6. Under sections 55A and 55B of the DPA (introduced by the Criminal Justice and Immigration Act 2008 which came into force on the 6 th April 2010), the Information Commissioner may, in circumstances where there has been a serious contravention of the Act, serve a monetary penalty up to 500,000 on the Data Controller. Other enforcement measures can be used in conjunction with the monetary penalty however, the application of the severest action 5 See Data Protection Act 1998 Part 1 section 1 definitions 6 DPA Section 4(4) it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller 6

7 requires the contravention to have been serious causing distress to the person whose personal data was involved and, it must have been either deliberate or the Data Controller must have, or ought to have known that there was risk that a contravention could occur and failed to take reasonable steps to prevent it. To date the monetary penalties served on Local Authorities has nearly reached 2 million and in every case the organisation was found to have failed in its duty to implement effective organisational and technical security measures to protect personal information in line with the 7 th DPA principle. In the Guide to Data Protection 7, the Information Commissioner s Office (ICO) provides guidance on what an organisation is expected to do to ensure compliance with the seventh principle, which includes being ready to respond to any breach of security swiftly and efficiently. 4. The Purpose of this document This advice is intended for all Local Authority staff involved in the management of an Information Governance untoward incident, for example Information Governance Officers, Line Managers, Heads of Service, Caldicott Guardians, Senior Information Risk Owner, Chief Executives. It is particularly written to assist Information Governance Officers in the design of an Information Governance Untoward Incident Policy. The definition of an information governance incident is: Any incident involving the actual or potential loss of personal information that could lead to identity fraud or have other significant impact on individuals should be considered as serious 8 An Information Governance Untoward Incident is a contravention of the 7 th data protection principle. Anybody who handles personal information about a service user in the course of their work carried out for or, on behalf of the Local Authority, should know how to identify an Information Governance Untoward incident, who to report it to and what 7 The ICO s Guide to Data Protection on/practical_application/the_guide_to_data_protection.ashx 8 DH Checklist for Reporting, Managing & Investigating Information Governance Serious Untoward Incidents 7

8 their responsibilities are in the subsequent actions for investigating and managing that incident. The organisation should have an Information Governance Untoward Incident Policy that sets out how an incident will be managed. It is recommended that this Policy is incorporated into the organisation s IT Disaster Recovery, Business Continuity and Communication Plans as evidence of organisational and technical measures taken to comply with the 7 th DPA principle. The intention is to ensure that: the management of IG untoward incidents conforms to the processes and procedures set out for managing all incidents of a similar nature across all health and care services, in particular where those services are integrated there is a consistent approach to the management, evaluation and reporting IG untoward incidents early reports of IG untoward incidents should be sufficient to decide the appropriate escalation, notification and communication to senior personnel within the Authority, the individual service user(s) and the Information Commissioner. immediate action is taken to assess the impact on the service user and ensure their safety the service user(s) is informed appropriately appropriate action is taken to prevent or limit damage to the service user, staff and reputation of the Local Authority all aspects of an incident are fully explored and lessons learned are identified, recorded and communicated corrective action is taken by the organisation to prevent recurrence information is provided to the Board through regular reports to ensure executive understanding of organisational performance and risks and high level authorisation and support to drive organisational change and improvement. 8

9 5. Identification of an Information Governance Untoward Incident An information governance breach can happen for a number of reasons, for example (but not limited to): Loss or theft of personal data or equipment on which personal data is stored Loss or theft of confidential information held in paper records Failure of technical controls that allow or risk unauthorised access to personal data e.g. encryption software not applied Human error, such as sending a fax to a wrong number, an to the wrong recipient, a letter to the wrong address etc. Failure to use the security measures provided e.g. secure , protective marking (failure to follow information governance policy); Unforeseen circumstances such as a fire or flood Hacking attack Blagging offences where information is obtained or an attempt is made to obtain personal information by deceiving the organisation who holds it Where there is a near miss, for example, a record containing personal, sensitive information cannot be found after an extensive search and is therefore assumed to be lost ; or it is suspected that there may have been unauthorised access to a record containing personal information; these near miss or unproven incidents should be reported, recorded, risk assessed and acted upon in accordance with the IG Untoward Incident Policy until further information confirms the record has been recovered or the suspicion is unfounded and the severity of the incident is downgraded. The information collected during the process is invaluable to the organisation for risk assessment purposes and used to identify and share in the lessons learned. However if a breach has occurred the following are important elements to any Information Governance Untoward Incident Management Plan: 1. Initial reporting 2. Containment and recovery 3. Managing the incident 4. Notification 5. Evaluation and final reporting, including recommendations to prevent further incidents of the same nature. It is, however important that when it is first realised that an incident has occurred, the service responsible should make an assessment of the immediate risk to the service 9

10 user and take any action necessary to make the situation safe. For example, if personal information that included the address and safe key code of a vulnerable adult has been lost, then the first priority should be to ensure the safety of the individual. 6. Initial Reporting Local Authorities should have robust policies and procedures in place to ensure that the appropriate members of staff are notified immediately of any incident that involves the compromise or loss of personal data or other breach of confidentiality. Ideally, there should be a named individual responsible for managing the Information Governance Untoward Incident process on behalf of the organisation. This central oversight and management of all reported incidents, including incidents of low severity, will ensure the response is appropriate and consistent and will also enable the organisation to understand where serious risks might lie and inform decisions on what action needs to be taken to mitigate those risks. Without a central point of reference, the organisation may not be able to measure the effectiveness of the technical and organisational measures in place to protect personal information or identify and correct common or systemic failures in their information governance controls. This not only increases the risk of an incident occurring, it also puts the organisation at a higher risk of the more severe ICO penalties in the event of an investigation by failing to have organisational measures in place to comply with the seventh data protection principle. All Information Governance untoward incidents, including suspected incidents (near misses) should be reported to the central point of contact for the organisation (the Incident Co-ordinator ), even if the incident is to be investigated and managed by a local area manager. The management of an incident needs to be proportionate and consistent. It is both impractical and unnecessary to conduct a full scale investigation into a small scale incident, but there also needs to be some commonality in how the incident is managed, therefore the approach has to have some element of flexibility. The Incident Co-ordinator should assess the facts reported and determine the appropriate next steps. The incident should be reported as soon as possible after it occurred or is realised (within 24 hours) and should include as much detail as possible (see Appendix 1-10

11 Example Information Governance Untoward Incident Checklist). The report should be updated as more information becomes available, but the following is required in the initial stage in order to make an assessment of severity and determine the necessary action to be taken: Date, time and location of the incident The type of incident e.g. loss of personal information, unauthorised access etc. The name and contact details of the person reporting the incident Contact details for the local incident manager A detailed description of the incident e.g. what happened - theft, accidental loss, inappropriate disclosure, procedural failure etc. The type of record or data involved and sensitivity The number (or estimate) of individual data subjects involved The number of records involved and the media (paper, electronic) of the records If electronic media, whether the data was encrypted or not Any other important factor necessary to determine the impact e.g. local press involvement, incident reported by a member of the public etc. An initial assessment of the severity of the incident based on the reported facts should be made and immediate action taken to recover data (where possible), limit the damage, inform those who need to know, assign responsibility and commence the investigation process. 7. Determining the severity of the incident The harm caused by an information security breach will differ depending on the circumstances, nature and quantity of the information lost. Key considerations when assessing the severity of an incident include the potential harm to the individual or individuals whose personal information has been compromised and what immediate steps need to be taken to ensure their personal safety. Risk assessment methods commonly categorise incidents according to the predicted consequences to give a severity rating which determines a course of action to follow. The NHS uses a matrix to determine a risk score (see Appendix 2). The risk score increases when a large number of individuals personal data is involved. However, it should be noted that ICO monetary penalties have been served on Local Authorities where only one or two individuals have been affected, because the nature of the information accidentally disclosed was highly sensitive and its loss or exposure caused the individual significant distress. The only central guidance currently available to assist organisations in the assessment of severity is the Department of 11

12 Health matrix, which can be used to give an initial baseline score which should then be revised and adjusted accordingly in light of the presenting facts and additional risks such as sensitivity and potential harm. The incident should be categorised at the highest level that applies when all of the characteristics, potential outcomes and risks have been considered. For example: Scenario: The loss of an unencrypted laptop holding a spreadsheet for people containing personal demographic information which would identify individuals and their bank details has been reported to the local press. Assessment: The DH Matrix scores this severity level 4 (out of 5). The combination of risk factors i.e. the potential for damage to the organisation s reputation, risk of identity theft, media coverage, high number of people involved and ICO enforcement action confirms a high risk/high severity factor The severity rating would however reduce to low if the data had been held on an encrypted laptop, because there is no risk of identities and related data being revealed; technical information security measure have been applied so the 7 th Data Protection principle is met and national information security policy had been adhered to. According to the ICO s breach reporting guidance, this would not be considered serious enough to report and as there is no risk to the individual s concerned, there would be no requirement to inform them. It would, however, be advisable to notify the ICO when the individual service users have been informed of the incident and/or there is some media interest, because of the increased possibility that it will be reported to the Regulator by someone else. 8. Managing the Incident All incidents, regardless of the severity, need to be managed and investigated. It is worth investing resources into investigating the low severity incidents (although that should be proportionate) because they may indicate a systemic problem or developing risk that would not otherwise be obvious and allows the organisation to take remedial action to prevent a deteriorating situation developing into an eventual breach. 12

13 It is essential to identify who is responsible for the overall management of an incident and for coordinating all of the separate related activities, including who will take responsibility for informing the individual data subjects and how to manage their expectations and concerns. In some circumstances it may be necessary to involve the Human Resources department if it is necessary to suspend the relevant member of staff whilst the incident is under investigation. Where that is the case, their right to confidentiality needs to be taken into consideration especially where that might lead to further disciplinary action being taken. The central Incident Co-ordinator should coordinate the incident management procedures, ensuring timely progress is made and deadlines are met, the people involved are kept informed and records are maintained and kept up to date. Decisions taken at the start of the procedures need to be assessed and adjusted as further information become known and, where necessary, communicated to all those involved. 9. Internal Communications Where it is suspected that an IG incident has taken place, it is good practice to notify key senior personnel. Who will need to know depends on the organisation s structure, internal policy and the severity of the incident, but may include all or some of the following examples (role titles will vary within organisations) Line Manager Senior Departmental Officer/Head of Service (Breach Owner) Head of Information Governance Compliance/ Data Protection Officer Legal Data Protection adviser IT Security Manager Head of Communications Senior Information Risk Owner (SIRO) Caldicott Guardian Where a breach is classified as serious and requires reporting to the data subject(s) and to the ICO, consideration should also be given to notifying the following key staff Director or Head of Service Chief Executive Head of Human Resources Corporate Risk Manager Communication Service Legal team 13

14 Lead Member Complaints Team Emergency Planning (if risk to community) Insurance Services 10. External Communications 10.1 Informing the data subjects Whilst there is no legal obligation to report a data loss incident to the individual or to the Information Commissioner s Office (ICO), to do so should be a matter of good practice, routine procedure and seen as a duty of care. In some circumstances it may not be necessary to tell the individual, and in making the decision about what action to take, the organisation needs to make an assessment about the pros and cons of either informing or not informing. It is however, the NIGB s opinion that only the individual can make an accurate risk assessment of the personal harm that might have been caused and what action they need to take to mitigate those risks. Harm can range from the mild inconvenience or annoyance caused; the personal risk or disruption of service that might arise from the loss of information at the point of care, up to significant distress caused by a breach of confidentiality or risk of identity theft or other financial loss. From the analysis of the monetary penalties imposed on Local Authorities by the Information Commissioner, his interpretation of significant distress suggests that just the knowledge that somebody, who had no business or reason to otherwise know, has had sight of very personal and sensitive information is enough in itself to warrant harm. In our experience organisations are often reluctant to be candid and inform the individual s whose personal information has been lost or compromised in fear of the repercussions. Honesty and saying sorry to the individual concerned in the majority of cases will enable the organisation to limit the damage caused and re-establish a steady state in the user/provider relationship. Not being honest risks a bad situation becoming even worse if the incident is later found out by other means and the organisation appearing to have attempted to cover it up. This will not exempt or protect an organisation from complaint or enforcement action by the ICO, but is recommended as good practice and advantageous to do so in the event of a subsequent formal investigation as opposed to where the incident is reported to them by the service user or a whistleblower. How to inform a service user about the loss of their personal data and who is responsible for telling them is an important part of the incident management process. Special consideration needs to be given to how to inform children or 14

15 vulnerable adults. It is also important to consider the duty of care to the service user in terms of the possible adverse impact the information may have on their physical or mental wellbeing. The approach needs careful consideration and it may be necessary to ensure both immediate and ongoing support is available where there is a concern that the news will cause significant distress. The Information Commissioner s guidance on data security breach management provides the following advice on what to consider when making a decision to notify individual service users: You should at the very least include a description of how and when the breach occurred and what personal data was involved. Include details of what you have already done to respond to the risks posed by the breach When notifying individuals give specific and clear advice on the steps they can take to protect themselves and also what you are willing to do to help them Provide a way in which they can contact you for support and further information. Further information is available in the ICO s Guide on Information Security Breach Management cuments/library/data_protection/practical_application/guidance_on_data_sec urity_breach_management.ashx 10.2 Informing the Information Commissioner s Office The ICO has produced guidance for organisations on the information that should be reported to them as part of a breach notification. This guidance is available on the ICO s website: /principle_7.aspx 10.3 Media Management Arrangements should be made to ensure that press and media enquiries are appropriately managed. It is therefore good practice to alert the organisation s Communication s department of the very basic facts and a contact number for further information so they can prepare a press statement in advance, deal with any incoming enquiries and manage the organisation s subsequent public statements. 15

16 10.4 Informing others You may also need to consider notifying third parties such as professional and trade unions where staff data has been compromised. In some circumstances, it may be necessary to consider informing the Police, and/or Counter Fraud services. 11. Containment and recovery It may be necessary to contain the incident and preserve forensic evidence or attempt to recover the data if the incident is due to a technology failure or where factual information is available via automated audit trails. This requires specialist information technology advice and our recommendation is to ensure the availability of expert knowledge to provide support and advice to the Incident Coordinator. Where specialist third party services are commissioned to recover data or provide audit trails etc. it is important to ensure that a written contract is established to clearly specify the organisation s instructions and satisfy the Data Controller/Data Processor arrangements set out in the 7 th Data Protection principle. 12. Investigation Ideally, the person responsible for conducting an investigation should be someone who can provide an independent and unbiased view. They should have the authority to mobilise the necessary resources to assist them in their investigation and interview all relevant personnel. It may be necessary to temporarily suspend the staff member involved, in which case their line manager and Human Resources would need to be contacted. The Incident Coordinator should be kept updated as the investigation progresses and, it may be necessary to revise and amend decisions made at the beginning of the investigation as further information emerges. The investigating officer should Have a general understanding of the nature of the concerns that an information governance incident would raise Be familiar with local policy and procedure Have had some training and/or are experienced in investigation process 16

17 Have access to relevant advice and expertise to assist them Have the necessary time to conduct the investigation protected The investigating officer should remain objective, collect evidence and focus on the facts presented in order to make an accurate assessment of the root causes of the incident. 13. Evaluation Various tools are available to help to analyse the information obtained during an investigation. The National Patient Safety Agency has developed a series of guidance and materials to assist in the reporting and management of incidents within the NHS: Guidance is also available from the Health and Safety Executive Investigating accidents and incidents: A workbook for employers, unions, safety representatives and safety professionals. It is important to remain objective and formulate an opinion about the actual causes of the incident from the presenting facts obtained during the investigation as opposed to making assumptions. Incidents are often caused by a combination of factors as opposed to a single event and it is therefore important to explore the related events as well as the actual event. For example, if the incident was caused because a member of staff had not received adequate training, questions should be asked about the organisation s training policy, what training was available, would that training have prevented the incident, why had training not been provided, why was booked training cancelled etc. This will help to determine what remedial action the organisation should take to prevent further incident, for example by ensuring training material is adequate; cancelled training sessions get re-arranged etc. 14. Reporting Case records should be kept secure and confidential and should be managed in accordance with organisational policy on records and information management and the Data Protection Act

18 Where information is held separately by those involved in the management and investigation of the incident, it should be collected after that process has been completed and held in a secure central area. The investigation report should contain information that explains the facts of the case and supports subsequent decision making. Recommended headings include: Introduction Background The investigation and methods used Findings of fact Conclusion Recommendations An action plan and timetable for implementation of the recommendations, including who is responsible for those actions. Organisational policy should specify what happens to the final report i.e. who should receive it and who is responsible for taking the recommendations forward. It may also depend on outcomes, for example, where the risk of further incident is a localised event within a specific service area, the report should be presented to the Director or Head of Service who is responsible for final decision and authorising the recommendations. If however, the risk extends to the rest of the organisation, the Senior Risk Information Owner (SIRO) should receive the report and decide its further distribution and implementation. It may, for example, be necessary to liaise with other senior personnel or seek legal advice before endorsing and acting upon the recommendations made. A summary of the findings and recommendations should be reported to the Board to inform them of the incident and to authorise the necessary action, especially where there is a risk of a similar occurrence elsewhere in the organisation. Periodic reports to provide statistical and factual information about the Information Governance Untoward Incidents reported within the organisation should be presented to the Board with an analysis of risk and recommended mitigating action to provide assurance that technical and organisational security measures are effective or to authorise action wherever necessary to strengthen and improve the controls designed to protect the personal data they are responsible for. 18

19 Appendix 1 Example Information Governance Untoward Incident Management Checklist Information Governance Incident Management Checklist Incident Reference Number Date Started Date Completed Severity Rating Service User informed (Y/N) ICO informed (Y/N) Department Responsible Investigating Officer Address Telephone Number Address Required Information Check Date 1 Date, time and location of incident 2 Confirmation that LA information governance incident guidelines are being followed and appropriate action being taken 3 Description of what happened: Theft, accidental loss, inappropriate access/disclosure, procedural failure etc 4 Number of individuals/staff (individual data subjects) involved and/or number of records 5 The type of record or information/data involved and sensitivity 6 If information was in paper format how was it being transferred or stored when lost i.e. locked briefcase or envelope 19

20 7 If electronic media, whether encrypted or not 8 Whether the information security incident is in the public domain, whether the media (press etc) are involved or there is a potential for media interest. Has a press statement been prepared? 9 Whether the reputation of an individual (s), Team, an organisation or Local Authority as a whole is at risk and whether there are legal implications 10 Whether the Information Commissioner has been or will be notified and if not why not 11 Whether data subjects have been or will be notified and if not why not 12 Whether the police have been involved 13 Immediate action taken, including whether any staff have been suspended pending the results of the investigation 14 Whether there are any consequent risks of the incident (e.g. individual safety, continuity of service etc) and how these will be managed 15 What steps have been or will be taken to recover records/data (if applicable 16 What lessons have been learned from the incident and how will recurrence be prevented 17 Whether, and to what degree, any member of staff has been disciplined by the organisation or 3 rd party company (where applicable) - if not appropriate why 18 Closure of information security incident - only when all aspects, including any disciplinary action taken against staff, are settled 20

21 Appendix 2 Severity rating matrix (Department of Health) No significant reflection on any individual or body Media interest very unlikely Damage to an individual s reputation. Possible media interest, e.g. celebrity involved Damage to a team s reputation. Some local media interest that may not go public Damage to a services reputation/ Low key local media coverage. Damage to an organisation s reputation/ Local media coverage. Damage to the organisation s reputation/ National media coverage. Minor breach of confidentiality. Only a single individual affected Potentially serious breach. Less than 5 people affected or risk assessed as low, e.g. files were encrypted Serious potential breach & risk assessed high e.g. unencrypted sensitive records lost. Up to 20 people affected Serious breach of confidentiality e.g. up to 100 people affected Serious breach with either particular sensitive data or up to 1000 people affected Serious breach with potential for ID theft or over 1000 people affected NB: This matrix is currently under revision but is provided as a guide to assist in the initial assessment of severity 21