Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation

Transcription

1 Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation 1 st June 2013 Version 2.0

2 Revision History Version Date Summary of Changes V0.1 October 2012 Initial draft pre development of IG Incident Reporting Tool and post review of old checklist guidance by NHS IG Leads V0.2 March 2013 Second draft post development of IG Incident Reporting Tool V0.3 April 2013 Third draft for Department of Health review V0.4 23/05/2013 Forth draft for Information Commissioner s Office review V0.5 26/05/2013 Fifth draft including DH and ICO feedback and converted into HSCIC format V2.0 01/06/2013 Final version for Publication Supersedes DH version V1.0 January 2010 Page 2 of 30

3 Contents 1 What is a SIRI? 4 2 Introduction 4 3 Purpose 5 4. IG Incident Reporting Tool 6 5. Checklist Initial Reporting Managing the incident Investigating the incident Final Reporting, Lessons Learned and Closure of the incident 14 6 Further assistance 14 Annex A - Assessing the Severity of the Incident 15 Annex B - Publishing details of SIRIs in annual reports and Statements of Internal Control (SIC) 21 Annex C - Serious Incidents Requiring Investigation Breach Types Defined 26 Annex D - Monetary Penalty Notices Issued 2011/ Page 3 of 30

4 1 What is a SIRI? Information Governance related Serious Incident Requiring Investigation (IG SIRI) There is no simple definition of a serious incident. What may at first appear to be of minor importance may, on further investigation, be found to be serious and vice versa. As a guide:- Any incident which involves actual or potential failure to meet the requirements of the Data Protection Act and/or the Common Law of Confidentiality. This includes unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data, information security breaches and inappropriate invasion of people s privacy. Such personal data breaches which could lead to identity fraud or have other significant impact on individuals. Applies irrespective of the media involved and includes both electronic media and paper records. See Annex C for further definitions and examples of IG SIRI Breach Types. 2 Introduction It is essential that all IG SIRIs which occur in Health, Public Health and Adult Social Care services are reported appropriately and handled effectively. Commissioned services should be subject to the same requirements to report data breaches to the commissioner of the service and directly through the arrangements described in this document. This guidance document covers the reporting arrangements and describes the actions that need to be taken in terms of communication and follow up when an IGSIRI occurs. Organisations should ensure that any existing policies for dealing with IG SIRIs are updated to reflect these arrangements. This guidance supersedes the Department of Health Checklist for Reporting, Managing and Investigating Information Governance Serious Untoward Incidents Gateway Ref: published in January Page 4 of 30

5 This guidance document and supporting IG Incident Reporting Tool product (hosted on the IG Toolkit website) 2 applies to all Organisations providing or supporting Health and Adult Social Care services in England. The development of this guidance and the new IG Incident Reporting Tool involved representatives from the NHS, DH IG & Standards Policy and the ICO Enforcement Department. Information Commissioner s Office Statement of Support The health sector routinely handles extremely sensitive personal data, and it is essential that such information is looked after appropriately. On the occasions where that has not been achieved, it is important that the relevant authorities are made aware at the earliest opportunity. The National Health Service (NHS) has an established culture of informing the ICO of all data breaches, and we welcome the new incident reporting tool which will mandate that reporting process and make it simpler and more efficient. The ICO has worked closely with the Health and Social Care Information Centre to support the development of the reporting tool and we anticipate that it will become a useful resource for information governance professionals within the NHS. 3 Purpose To date the monetary penalties served on Local Authorities has nearly reached 2 million and in every case the organisation was found to have failed in its duty to implement effective organisational and technical security measures to protect personal information in line with the 7th DPA principle. Annex D shows a summary of the monetary penalty notices issued by the ICO since February 2011 to February 2013 on healthcare organisations and council fines. This clearly demonstrates that there is an ongoing problem which needs to be addressed. 2 Information Governance Toolkit Website - hosting the IG Incident Reporting Tool Page 5 of 30

6 The IG Incident Reporting Tool will play a key role in providing this visibility/knowledge and encouraging collaborative partnership working amongst key stakeholders to find solutions for addressing issues. The purpose of this guidance is to support health and adult social care commissioners, providers, suppliers and staff in ensuring that:- the management of IG SIRIs conforms to the processes and procedures set out for managing all Serious Incidents Requiring Investigation; there is a consistent approach to evaluating IG SIRIs; early reports of IG SIRIs are sufficient to decide appropriate escalation, notification and communication to interested parties; appropriate action is taken to prevent damage to patients, staff and the reputation of Healthcare, Public Health or Adult Social Care; all aspects of an IG SIRI are fully explored and lessons learned are identified and communicated; and appropriate corrective action is taken to prevent recurrence in line with the open data transparency strategy IG Incident Reporting Tool From June 2013 all Organisations processing health and adult social care personal data are required to use the IG Toolkit Incident Reporting Tool to report level 2 IG SIRIs 4 to the DH, ICO and other regulators. A Memorandum of Understanding is in development between the Department, Health and Social Care Information Centre and the Information Commissioner to share intelligence on IG SIRIs for the purpose of supporting, guiding, investigating breaches, performance monitoring and improving standards of health and adult social care services. Local clinical and corporate incident management and reporting tools (including Strategic Executive Information System - STEIS) 5 can continue to be used for local purposes but notifications of IG SIRIS for the attention of DH and the ICO must be communicated using the IG Incident Reporting Tool with immediate effect Level 2 IG SIRIs are sufficiently high profile cases or deemed a breach of the Data Protection Act or Common Law Duty of Confidentiality, and hence reportable to the Department of Health and Information Commissioner s Office. See Annex A for further detail on severity levels. 5 Page 6 of 30

7 All existing data, provided previously by Strategic Health Authority IG Leads who used to manage and report IG SIRIs on behalf of NHS Organisations, has been transferred onto the new Incident Reporting Tool. This data may need validating and updating as it is based on updates provided by IG Leads from April 2011 to March 2013 and has been migrated from the old assessing severity scheme to the new approach as described in this guidance. Organisations with a history of incidents should ensure this validation takes place before the next quarter end (September 2013). Reports of health and adult social care IG SIRIs will be published on the IG Toolkit website quarterly following the launch of the of the IG Incident Reporting Tool.* *IMPORTANT DISCLAIMER All information recorded under a Closed IG SIRI on the IG Toolkit Incident Reporting Tool will be published quarterly by the Health and Social Care Information Centre (HSCIC). Oganisations must therefore check the content recorded within the IG Incident report before closing the record to ensure that you do not include any information that you would not normally provide or publish yourself if requested under the Freedom of Information Act Other IG SIRIs marked as Open, Withdrawn or Duplicate will not be published by the HSCIC. See the Publication Statement on the IG Incident Reporting Tool landing page or accessible via the IG Toolkit Knowledgebase 8 for further detail the Legislation ICO Guidance 8 IG Toolkit Website - Knowledge Base Page 7 of 30

8 5. Checklist The checklist guidance should be used by all staff involved in managing IG SIRIs. It is important to note that much of this checklist will be applicable to near misses. Staff should be encouraged to report IG SIRI near misses and the opportunity taken to identify and disseminate the lessons learnt. All staff should know to whom they should report and escalate suspected or actual IG SIRIs. All organisations should already have in place an Incident Response Plan (IRP) covering Disaster Recovery, Business Continuity and the development of effective Communications Plans. It is recommended that this checklist is incorporated into the IRP. Organisations are expected to report IG SIRIs directly to the HSCIC via the IG Incident Reporting Tool hosted on the secure IG Toolkit website. Further detail on the tool, how it works and how to access etc can be found in the IG Incident Reporting Tool User Guide. Incidents reported will be automatically relayed on to the ICO and other regulators, as appropriate. The main parts of the process are: Initial reporting Managing the incident Investigating Final reporting Page 8 of 30

9 IG SIRI High Level Process Potential SIRI Make an initial assessment on IGT Incident Reporting Tool and provide early warnings, if appropriate. Manage in accordance with local procedures Yes IG SIRI Level 0 or 1? No IG SIRI Level 2? Reported to ICO and DH via IG Incident Reporting Tool Yes Initiate Incident Response Plan Review IG SIRI Level in light of findings. Update IG Incident Reporting Tool Investigation Final Report Close Incident, note lessons learned and publish in accordance with local procedure and on IG Incident Reporting Tool Page 9 of 30

10 5.1 Initial Reporting Suspected incidents Initial information is often sparse and it may be uncertain whether an IG SIRI has actually taken place. Suspected incidents and near misses can still be recorded on the IG Toolkit Incident Reporting Tool, as lessons can often be learnt from them and they can be closed or withdrawn when the full facts are known Early notification Where it is suspected that an IG SIRI has taken place, it is good practice to informally notify key staff (Chief Executive, Senior Information Risk Owner, Caldicott Guardian, other Directors etc.) as an early warning to ensure that they are in a position to respond to enquiries from third parties and to avoid surprises. Each organisation needs to determine its own notification priorities and have robust policies in place to ensure that appropriate senior staff are notified immediately of all IG SIRIs or severity level 2 at least. However, the immediate response to the incident and the escalation process for reporting and investigating this will vary according to the severity of the incident. Where incidents occur out of hours, Organisations should have arrangements in place to ensure on-call Directors or other nominated individuals are informed of the incident and take action to inform the appropriate contacts. In the case of person identifiable information provided to a recipient organisation for secondary uses, e.g. a transfer of patient data approved under Section 251 of the NHS Act 2006, robust arrangements must be in place to ensure that the data provider or sponsoring organisation or statutory body is notified of all information governance incidents Reporting incidents Organisations should enter details of initial findings, within 24hrs of becoming aware of the incident, onto the Incident Reporting Tool. The severity of the incident will be determined by the scale (numbers of data subjects affected) and sensitivity factors selected. If the outcome in terms of the severity of the incident is IG SIRI level 2 (reportable) an notification will be sent to the HSCIC External IG Delivery Team, DH, ICO and escalated to other regulators, as appropriate. If the outcome is IG SIRI level 0 or 1 no notifications will be sent. For further detail on how the severity of an incident is assessed and calculated within the IG Incident Reporting Tool, see Annex A. Page 10 of 30

11 The DH will review the incident and determine the need to brief Ministers and/or take other action at a national level. The decision to inform other regulators will also be taken, dependent upon the circumstances of the incident, e.g. where this involves risks to the personal safety of patients, the National Patient Safety Agency (NPSA) may also need to be informed. Further information will become available as the investigation takes place and the IG Incident Reporting Tool record should be regularly updated as appropriate. Any significant updates regarding the breach type, severity details and media awareness will trigger a notification from the system to the HSCIC External IG Delivery Team and, where appropriate, this will be relayed to other regulators. This will reduce the burden on the organisation in terms of keeping authorities informed and updated as the investigation progresses and is finally closed. Although the IG Incident Reporting Tool is quite intuitive and context help is provided by most data entry fields to help users make the appropriate selections, the system is still dependant on the User entering quality information. For example, the free text fields Summary of the incident, Details of the Incident, Data) should be populated with up to date, accurate, factual, non person identifiable information (see *Important Disclaimer on page 7 of this guidance), including: Date, time and location of the incident. Breach Type (definitions and examples of these can be found in a Annex C). Details of local incident management arrangements. Confirmation that appropriate and documented incident management procedures are being followed and that disciplinary action will be invoked, where appropriate, following the investigation. Description of what happened. Theft, accidental loss, inappropriate disclosure, procedural failure etc. The number of patients/service users/staff (individual data subjects) involved. The number of records involved. The format of the records (paper or digital). If digital format, whether encrypted or not. The type of record, breach or data involved and sensitivity. Whether the IG SIRI is in the public domain. Whether the media (press etc.) are involved or there is a potential for media interest. Whether the IG SIRI could damage the reputation of an individual, a workteam, an organisation or the Health or Adult Social Care sector. Page 11 of 30

12 Whether there are legal implications to be considered. Initial assessment of the severity level of the IG SIRI (see Annex A for further detail on how this is calculated). Whether the following have been notified (formally or informally): Data subjects Caldicott Guardian Senior Information Risk Owner Chief Executive Accounting Officer Police, Counter Fraud Branch, etc. Immediate action taken, including whether any staff have been suspended pending the results of the investigation. 5.2 Managing the incident Identify who is responsible for managing the incident and coordinating separate but related incidents Identify who is responsible for the investigation and performance management Identify expected outcomes Identify stakeholders Develop and implement an appropriate communications plan Preserve evidence Investigate the incident (see below) Institute formal documentation this must incorporate version control and configuration management Maintain an audit trail of events and evidence supporting decisions taken during the incident Where appropriate the Information Commissioner, Department of Health and other regulators will be informed, via the IG Incident Reporting Tool, of any incidents which reach IG SIRI severity level 2 (reportable) Escalate as appropriate (Host organisations, dependent business partners or Commissioners) Informing data subjects (e.g. patients, service users, staff). Consideration should always be given to informing data subjects when personal data about them has been lost or inappropriately placed in the public domain. Where there is any risk of identity theft it is strongly recommended that this is done. Identify and manage consequent risks of the incident (these may be IG-related or involve risks to patient safety, continuity of treatment etc.) Page 12 of 30

13 Institute recovery actions Invoke organisation s disciplinary procedure as appropriate and document the reasons where it is decided not to take action where such action may be viewed as relevant by external parties Institute appropriate counter-measures to prevent recurrence Identify risks and issues that, whilst not in scope of the incident, are appropriate for separate follow-up and action Level 2 IG SIRIS recorded on the IG Incident Reporting Tool must include relevant up to date information, particularly under Details of incident and/or Actions taken throughout the management of the incident (in a timely manner). For the reasons stated on page 7 of this guidance under *Important Disclaimer. 5.3 Investigating the incident Note that national guidance / requirements are expected on forensic preservation of evidence relating to IG incidents: Appoint investigating officer Engage appropriate specialist help (IG, IT, Security, Records Management) Where across organisational boundaries coordinate investigations (and incident management) Investigate carry out a Root Cause Analysis as per the NPSA s template using the Incident Decision Tree (NPSA tools are available on go to tools. All templates are downloadable. IDT, RCA and report writing and although they need a small amount of flexibility in order to reflect IG rather than patient safety issues they provide a good structure for investigating and reporting IG incidents). Organisations should be aware of rules of evidence, interviews, preservation of evidence, suspending staff, etc Document investigation and findings Ensure that content is reviewed with sources for accuracy Identify lessons learnt Level 2 IG SIRIS recorded on the IG Incident Reporting Tool must include relevant up to date information, particularly under Details of incident and/or Actions taken throughout the management of the incident (in a timely manner). For the reasons stated on page 7 of this guidance under *Important Disclaimer. Page 13 of 30

14 5.4 Final Reporting, Lessons Learned and Closure of the incident Set target timescale for completing investigation and finalising reports. Produce final report. Report reviewed by appropriate persons or appraisal group. Sign-off of report Investigating Officer and Chief Executive, if serious enough. Send to the relevant persons and/or committee. Identify who is responsible for disseminating lessons learnt. Closure of IG SIRI only when all aspects, including any disciplinary action taken against staff, are settled. Update the IG Incident Reporting Tool The record cannot be closed until all the data fields are populated including Actions taken and Lessons Learned. HSCIC External IG Delivery Team will be notified by when an incident is closed and will monitor progress. The board or equivalent body of each organisation in the health and social care system must publish all data breaches involving the processing of data without a legal basis, where one is required. This should be in the quality report or as part of the annual end of year report by Accountable Officer or performance report for non-nhs organisations. See Annex B for examples. Reports of IG SIRIs should be published on your organisation s website and can be easily exported from the IG Incident Reporting Tool for publication. 6 Further assistance Any queries regarding this guidance or the IG Incident Reporting Tool should be submitted via the IG Toolkit Contact us service. Any queries regarding the Information Commissioner s Office investigation processes or referenced guidance should be ed to casework@ico.org.uk Page 14 of 30

15 Annex A - Assessing the Severity of the Incident Although the primary factors for assessing the severity level are the numbers of individual data subjects affected, the potential for media interest, and the potential for reputational damage, other factors may indicate that a higher rating is warranted, for example the potential for litigation or significant distress or damage to the data subject(s) and other personal data breaches of the Data Protection Act. As more information becomes available, the IG SIRI level should be re-assessed. Where the numbers of individuals that are potentially impacted by an incident are unknown, a sensible view of the likely worst case should inform the assessment of the SIRI level. When more accurate information is determined the level should be revised as quickly as possible. All IG SIRIs entered onto the IG Toolkit Incident Reporting Tool, reaching severity level 2, will trigger an automated notification to the Department of Health, Health and Social Care Information Centre and the Information Commissioner s Office, in the first instance and to other regulators as appropriate, reducing the burden on the organisation to do so. The IG Incident reporting tool works on the following basis when calculating the severity of an incident: There are 2 factors which influence the severity of an IG SIRI Scale & Sensitivity. Scale Factors Whilst any IG SIRI is a potentially a very serious matter, the number of individuals that might potentially suffer distress, harm or other detriment is clearly an important factor. The scale (noted under step 1 below) provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors. Sensitivity Factors Sensitivity in this context may cover a wide range of different considerations and each incident may have a range of characteristics, some of which may raise the categorisation of an incident and some of which may lower it. The same incident may have characteristics that do both, potentially cancelling each other out. For the purpose of IG SIRIs sensitivity factors may be: i. Low reduces the base categorisation ii. Medium has no effect on the base categorisation iii. High increases the base categorisation Page 15 of 30

16 Categorising SIRIs The IG SIRI category is determined by the context, scale and sensitivity. Every incident can be categorised as level: 1. Confirmed IG SIRI but no need to report to ICO, DH and other central bodies. 2. Confirmed IG SIRI that must be reported to ICO, DH and other central bodies. A further category of IG SIRI is also possible and should be used in incident closure where it is determined that it was a near miss or the incident is found to have been mistakenly reported: 0. Near miss/non-event Where an IG SIRI has found not to have occurred or severity is reduced due to fortunate events which were not part of pre-planned controls this should be recorded as a near miss to enable lessons learned activities to take place and appropriate recording of the event. The following process should be followed to categorise an IG SIRI Step 1: Establish the scale of the incident. If this is not known it will be necessary to estimate the maximum potential scale point. Baseline Scale 0 Information about less than 10 individuals 1 Information about individuals 1 Information about individuals 2 Information about individuals 2 Information about individuals 2 Information about 501 1,000 individuals 3 Information about 1,001 5,000 individuals 3 Information about 5,001 10,000 individuals 3 Information about 10, ,000 individuals 3 Information about 100,001 + individuals Page 16 of 30

17 Step 2: Identify which sensitivity characteristics may apply and the baseline scale point will adjust accordingly. Sensitivity Factors (SF) modify baseline scale Low: For each of the following factors reduce the baseline score by 1-1 for each No clinical data at risk Limited demographic data at risk e.g. address not included, name not included Security controls/difficulty to access data partially mitigates risk Medium: The following factors have no effect on baseline score 0 Basic demographic data at risk e.g. equivalent to telephone directory Limited clinical information at risk e.g. clinic attendance, ward handover sheet High: For each of the following factors increase the baseline score by 1 +1 for each Detailed clinical information at risk e.g. case notes Particularly sensitive information at risk e.g. HIV, STD, Mental Health, Children One or more previous incidents of a similar type in past 12 months Failure to securely encrypt mobile technology or other obvious security failing Celebrity involved or other newsworthy aspects or media interest A complaint has been made to the Information Commissioner Individuals affected are likely to suffer significant distress or embarrassment Individuals affected have been placed at risk of physical harm Individuals affected may suffer significant detriment e.g. financial loss Incident has incurred or risked incurring a clinical untoward incident Page 17 of 30

18 Step 3: Where adjusted scale indicates that the incident is level 2, the incident will be reported to the ICO and DH automatically via the IG Incident Reporting Tool. Final Score Level of SIRI 1 or less Level 1 IG SIRI (Not Reportable) 2 or more Level 2 IG SIRI (Reportable) Example Incident Classification Examples A Health Visitor data inappropriately disclosed in response to an FOI request. Data relating to 292 children, detailing their client and referral references, their ages, an indicator of their level of need, and details of each disability or impairment that led to their being in contact with the health visiting service e.g. autism, chromosomal abnormalities etc. Baseline scale factor Sensitivity Factors 2-1 Limited demographic data 0 Limited clinical information +1 Particularly sensitive information +1 Parents likely to be distressed Final scale point 3 so this is a level 2 reportable SIRI B Imaging system supplier has been extracting PID in addition to non-identifying performance data. A range of data items including names and some clinical data and images have been transferred to the USA but are being held securely and no data has been disclosed to a third party. Baseline scale factor Sensitivity Factors 3 (estimated) -1 Limited demographic data 0 Limited clinical information -1 Data held securely +1 Sensitive images +1 Data sent to USA deemed newsworthy Final scale point 3 so this is a level 2 reportable SIRI Page 18 of 30

19 C Information about a child and the circumstances of an associated child protection plan has been faxed to the wrong address. Baseline scale factor Sensitivity Factors 0-1 No clinical data at risk 0 Basic demographic data +1 Sensitive information +1 Information may cause distress Final scale point 1 so this is a level 1 SIRI and not reportable D Subsequent to incident c the same error is made again and the recipient this time informs the Trust she has complained to the ICO. Baseline scale factor Sensitivity Factors 0-1 No clinical data at risk 0 Basic demographic data +1 Sensitive information +1 Information may cause distress +1 Repeat incident +1 Complaint to ICO Final scale point 3 so this is a level 2 reportable SIRI E Two diaries containing information relating to the care of 240 midwifery patients were stolen from a nurse s car. Baseline scale factor Sensitivity Factors 2 0 Basic demographic data 0 Limited clinical information Final scale point 2 so this is a level 2 reportable SIRI F A member of staff took a ward handover sheet home by mistake and disposed of it is a public waste bin where it was found by a member of the public. 19 individual s details were included. Baseline scale factor Sensitivity Factors 1-1 Limited demographic data 0 Limited clinical information +1 Security failure re disposal of data Final scale point 1 so this is a level 1 SIRI and not reportable Page 19 of 30

20 G A filing cabinet containing CDs with personal data relating to several thousand members of staff sent to landfill in error during an office move. Baseline scale factor Sensitivity Factors 3-1 No clinical data at risk -1 Landfill unlikely to be accessed 0 Basic demographic data +1 Security failure (no encryption & poor disposal) Final scale point 2 so this is a level 2 reportable SIRI H Loss of an individual s medical records. The records were found to be missing when the patient concerned made a subject access request. Baseline scale factor Sensitivity Factors 0 0 Basic demographic data +1 Detailed clinical information +1 Patient distressed +1 Complaint to ICO Final scale point 3 so this is a level 2 reportable SIRI Page 20 of 30

21 Annex B - Publishing details of SIRIs in annual reports and Statements of Internal Control (SIC) Principles The reporting of personal data related incidents in the Annual Report should observe the principles listed below. The principles support consistency in reporting standards across Organisations while allowing for existing commitments in individual cases. a) You must ensure that information provided on personal data related incidents is complete, reliable and accurate. b) You should review all public statements you have made, particularly in response to requests under the Freedom of Information Act 2000, to ensure that coverage of personal data related incidents in your report is consistent with any assurances given. c) You should consider whether the exemptions in the Freedom of Information Act 2000 or any other UK information legislation apply to any details of a reported incident or whether the incident is unsuitable for inclusion in the report for any other reason (for example, the incident is sub judice and therefore cannot be reported publicly pending the outcome of legal proceedings). d) Please note that the loss or theft of removable media (including laptops, removable discs, CDs, USB memory sticks, PDAs and media card formats) upon which data has been encrypted to the approved standard, is not a Serious Incident Requiring Investigation unless you have reason to believe that the protections have been broken or were improperly applied. Content to be included in Annual Reports Incidents classified at a IG SIRI severity level 2 (see Annex A) are those that are classed as a personal data breach (as defined in the Data protection Act) or high risk of reputational damage, basically reportable to the Department of Health and the Information Commissioner s Office. These incidents need to be detailed individually in the annual report in the format provided as Table 1 below. All reported incidents relating to the period in question should be reported, whether they are open or closed incidents. Page 21 of 30