The following procedure ensures that we consistently manage any data breaches that impact personal identified information, ensuring we notify the relevant stakeholders in a timely manner and take any learning from the incident.
An incident is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to data subjects.
An incident includes but is not restricted to:
Any person using personal data on behalf of GP-Billing is responsible for reporting data breach incidents immediately to an Executive Director.
The report should contain the following details:
The Executive Director will first ascertain if the breach is
still occurring. If so, appropriate steps will be taken immediately to
minimise the effects of the breach. An assessment will be carried out to
establish the severity of the breach and the nature of further investigation
required, using the table below as a guide:
|
Severity |
Severity of Impact |
Description |
Actions |
|
Low |
Potentially some minor impact on data subjects |
Small number of records, minor inconvenience with little, or no, loss to privacy or freedoms |
Report to Data Controller/client |
|
Medium |
Potentially some adverse effect on data subjects |
|
Report to Data Controller/client and ICO, with input from Data Controller/client |
|
Critical |
Potentially financial loss, large number of records or significant impact on data subjects’ rights |
Loss of personal details such that it may impact finances, i.e. bank details |
Report to Data Controller/client and ICO, with input from Data Controller/client |
Consideration will be given as to whether the police should
be informed. Advice from appropriate experts will be sought if necessary.
A suitable course of action will be taken to ensure a resolution to the breach.
An investigation will be carried out without delay and where possible within 24 hours of the breach being discovered. The Executive Director will assess the risks associated with the breach, the potential consequences for the data subjects, how serious and substantial those are and how likely they are to occur.
The investigation will consider the following:
The Executive Director will decide with appropriate advice who needs to be notified of the breach. Every incident will be assessed on a case-by-case basis. Consideration will be given to notifying the Information Commissioner, or Data Controller, if many people are affected or the consequences for the data subjects are very serious.
Guidance on when and how to notify the ICO is available on their website:
www.ico.org.uk/media/1536/breach_reporting.pdf
Notification to the data subjects whose personal data has been affected by the incident will include a description of how and when the breach occurred, and the nature of the data involved. Specific and clear advice will be given on what they can do to protect themselves and what has already been done to mitigate the risks.
In most cases, it would be more appropriate for GP-Billing to inform their clients of the breach, including all relevant details that will allow data subjects to protect themselves. Notification to clients should occur as soon as possible and within 2 hours of confirmation of the breach.
The Executive Director will keep a record of all actions taken in respect of the breach.
Once the incident is contained, the Executive Director will carry out a review of the causes of the breach, the effectiveness of the response, and whether any changes to systems, policies or procedures should be undertaken. Consideration will be given to whether any corrective action is necessary to minimise the risk of similar incidents occurring.
For NHS clients:
https://www.dsptoolkit.nhs.uk/Help/incident-reporting
This procedure has been approved by an Executive Director and must be reviewed by 1st December 2023