Guidance on data security breach management

Document Sample
Guidance on data security breach management Powered By Docstoc
					                          This is a tier 2 IG documentation

     Procedure for Reporting, Managing and
      Investigating Information Governance
         Serious Untoward Incidents v2.0

Version:                                        2.0
Job title of originator/author:                 Information Governance Manager
Date written:                                   March 2009
Name of responsible committee/individual:       Information Governance Steering Group/
                                                Chief Operating Officer Community
                                                Services Wandsworth
Date first written                              August 2008
Equality Impact Assessment carried out          N/A
and outcomes published (date):
Date first approved by Committee / Trust        August 2008
Date reapproved by committee:*                  March 2009 by Information Governance
                                                Steering Group
Date approved by PEC:*
Date approved by PCT Board:*
Date Policy is valid:                           March 2009
Next Review date:                               March 2011
Target audience:                                All staff
1. Introduction

   1.1. This procedure sets out steps and actions to be taken in the event an
        Information Governance (IG) Serious Untoward Incident (SUI)
        involving personally identifiable data (PID) occurs in the NHS
        Wandsworth and Community Services Wandsworth (NHSW & CSW)
        or any of their hosted organisations.

   1.2. The definition of an IG SUI is:

        Any incident involving the actual or potential loss of personal
         information that could lead to identity fraud or have other significant
         impact on individuals should be considered as serious.
        The above definition applies irrespective of the media involved and
         includes both loss of electronic media and paper records

   1.3. This procedure is associated with and is a supplement to NHSW &
        CSW‟s Significant Untowards Incident Policy, Risk Management
        Strategy, Accident and Incident Reporting Processes and Whistle
        blowing Policy.

2. Purpose

   2.1. The intention of NHSW & CSW is to ensure that all Information
        Governance related SUI‟s that occur in the organisations are reported
        and managed in a consistent and effective manner so as not minimise
        the risk of harm to individuals and the PCT.

        The management of IG SUIs conforms to the processes and
         procedures set out for managing all Serious Untoward Incidents
        There is a consistent approach to evaluating IG SUIs;
        Early reports of IG SUIs are sufficient to decide appropriate
         escalation, notification and communication to interested parties;
        Appropriate action is taken to prevent damage to patients, staff and
         the reputation of the NHS;
        All aspects of a SUI are fully explored and „lessons learned‟ are
         identified and communicated; and • appropriate corrective action is
         taken to prevent recurrence.

3. Scope

   3.1. This procedure applies to all IG incidents. This procedure should be
        used by all staff involved in reporting and responding to any IG SUI.
4. Responsibilities

4.1. The Chief Operating Officer of the Community Services Wandsworth in her
     capacity as the Senior Information Risk Owner (SIRO) for NHS Wandsworth
     will act as the lead Very Senior Manager (VSM) for IG SUI‟s.

4.2. In the absence of the SIRO, the Caldicott Guardian of the PCT will fulfil lead
     officer responsibilities for IG SUI incidents.

4.3. In the absence of both the SIRO and Caldicott Guardian, the on call Director
     will fulfil lead officer responsibilities

        The Information Governance Manager, will be responsible for the
         classification, privacy impact assessment of IG SUI issues, assurance
         of compliance with NHS IG reporting requirement and action planning
         for the resolution of IG SUI‟s

        The Head of Communications will be responsible for the developing
         and managing communications actions in response to IG SUI‟s and
         communications with external parties

        Managers are responsible for local investigation and implementation
         of local action plans in relation to the IG SUI and ensuring that this
         procedure is followed in the management of IG SUI‟s.

5. Procedure for IG SUI management

   5.1. A IG related SUI can happen because of a number of reasons:

          Loss or theft of data or equipment on which data is stored
          Inappropriate access controls allowing unauthorised use
          Equipment failure
          Human error
          Unforeseen circumstances such as a fire or flood
          Hacking attack
          Blagging‟ offences where information is obtained by deceiving the
           organisation who holds it.

   5.2. An IG related SUI can have significant implications such as ID fraud,
        stress, damage to reputation for various parties such as the staff involved
        and line management staff, individuals whose data is involved and NHSW
        & CSW.

   5.3. However an Information Governance related SUI occurs, the five
    core steps are as follows: important elements to any managing the
    response to the SUI:

5.4. Recovery and Preservation of evidence

     Institute efforts to try to recover the data involved in the incident

     Institute formal documentation processes – this must incorporate
      version control and configuration management

     Maintain an audit trail of events and evidence supporting decisions
      taken during the incident

5.5. Notification

    Where it is suspected that an IG SUI has taken place, immediate
     communication to the Senior Information Risk Owner, Caldicott
     Guardian, Head of Communications, Information Governance
     Manager,( key staff) must be made to ensure that they are in a position
     to respond to enquiries from third parties and to avoid surprises. Early
     information, no matter how brief, is better than full information that is
     too late.

    “Key staff” will then undertake the required communications with other
     stakeholders such as Chief Executive, Directors, NHS London,
     Department of Health (SHA), Information Commissioners Office etc.

    Reporting to the SHA should be undertaken as soon as practically
     possible (and no later than 24 hours of the incident during the working
     week). Key staff will report the SUI, i.e. all incidents rated as 1 – 5, to
     the SHA through the usual SUI process. “Key staff” should keep the
     SHA informed of any significant developments in internal/external
     investigations, as appropriate.

    Reporting incidents – STEIS is to be used for reporting all IG SUIs and
     an initial report should be made as soon as possible and no later than
     24 hours of the incident or first becoming aware of the incident. Further
     information will become available as the investigation takes place and
     STEIS should be regularly updated as appropriate.

    Only the Head of Communications or a representative of the Head of
     Communications must institute press communications with external
     stakeholders such as the Press. The communications team should
     contact the SHA's Communications team immediately if there is the
     possibility of adverse media coverage in order to agree a media
     handling strategy.
    The Information Commissioner should be informed of all Category 3-5
     incidents. The decision to inform any other bodies will also be taken,
     dependent upon the circumstances of the incident, e.g. where this
     involves risks to the personal safety of patients, the National Patient
     Safety Agency (NPSA) may also need to be informed.

    Consideration should always be given to informing patients when
     person identifiable information about them has been lost or
     inappropriately placed in the public domain. Where there is any risk of
     identity theft it is strongly recommended that this done.

    Appendix A sets out the contents of what should be included in
     the STEIS report

5.6. Containment and Recovery - Managing the incident

   5.6.1. Identify the local work area person who will be
        responsible for managing the incident and coordinating
        with the SIRO, IG Manager and Head of Communications

   5.6.2. Assess the risks of harm to individuals:

       What type of data is involved?

       How sensitive is the data? Some data is sensitive because of its
        very personal nature (health records) while other data types are
        sensitive because of what might happen if it is misused (bank
        account details)

       Details of how the information was held: paper, memory stick, disc,

       Details of any safeguards such as encryption that would mitigate
        the risk if data has been lost or stolen

       Details of the number of individuals whose information is at risk.

       How many individuals‟ personal data are affected by the breach? It
        is not necessarily the case that the bigger risks will accrue from the
        loss of large amounts of data but is certainly an important
        determining factor in the overall risk assessment

       Who are the individuals whose data has been breached? Whether
        they are staff, patients, clients or suppliers, for example, will to
        some extent determine the level of risk posed by the breach and,
        therefore, your actions in attempting to mitigate those risks

       What kind of intent can be determined as leading to the SUI? E.g.
      was it malicious, was it accidental? Intent gives an idea of the
      potential for harm to individuals

    What harm can come to those individuals? Are there risks to
     physical safety or reputation, of financial loss or a combination of
     these and other aspects of their life?

    What has happened to the data? If data has been stolen, it could
     be used for purposes which are harmful to the individuals to whom
     the data relate; if it has been damaged, this poses a different type
     and level of risk.

    Regardless of what has happened to the data, what could the data
     tell a third party about the individual?

    Are there wider consequences to consider such as a risk to public
     health or loss of public confidence in an important service you

    Whether the individuals concerned should be informed or not?

    Whether the information about SUI is in the public domain and the
     extent of media interest and or publication

5.6.3. Assess the potential incident level

    Risk assessment methods commonly categorise incidents
     according to the likely consequences, with the most serious being
     categorised as a 5, e.g. an incident should be categorised at the
     highest level that applies when considering the characteristics and
     risks of the incident.

    Although the primary factors for assessing the severity level are the
     numbers of individual data subjects affected, the potential for media
     interest, and the potential for reputational damage, other factors
     may indicate that a higher rating is warranted, for example the
     potential for litigation or significant distress or damage to the data
     subject(s). As more information becomes available, the SUI level
     should be re-assessed.

    Where the numbers of individuals that are potentially impacted by
     an incident are unknown, a sensible view of the likely worst case
     should inform the assessment of the SUI level. When more
     accurate information is determined the level should be revised as
     quickly as possible and all key bodies notified.
                      Where the level of likely media interest is initially assessed as
                       minor but this assessment changes due to circumstances (e.g. a
                       relevant FOI request or specific journalistic interest) the SUI level
                       should be revised as quickly as possible and all key bodies notified.
                       Note that informing data subjects is likely to put an incident into the
                       public/media domain

        0                  1                2               3                4                5
No significant      Damage to an     Damage to a     Damage to a      Damage to        Damage to
reflection on       individual‟s     team‟s          services         an               NHS
any individual      reputation.      reputation.     reputation/      organisation‟    reputation/
or body                                                               s reputation/
                    Possible         Some local      Low key                           National
Media interest      media            media           local media      Local media      media
very unlikely       interest, e.g.   interest that   coverage.        coverage.        coverage.
                    celebrity        may not go
                    involved         public
Minor breach        Potentially      Serious         Serious          Serious          Serious
of                  serious          potential       breach of        breach with      breach with
confidentiality.    breach.          breach & risk   confidentialit   either           potential for
                                     assessed        y e.g. up to     particular       ID theft or
Only a single       Less than 5      high e.g.       100 people       sensitivity      over 1000
individual          people           unencrypted     affected         e.g. sexual      people
affected            affected or risk clinical                         health           affected
                    assessed as      records lost.                    details, or up
                    low, e.g. files                                   to 1000
                    were             Up to 20                         people
                    encrypted        people                           affected

             5.6.4. Prepare and implement documented incident response plan.
                  This may require input from specialists such as IT, HR, Governance,
                  and Communications and in some cases contact with external
                  stakeholders and suppliers.

             5.6.5. The scope and content of the plan should cover the following
                  containment and recovery issues:

                    Identification of expected outcomes

                    Identification of stakeholders to be involved
       Communications plan

       Investigation of the incident

       Action to ensure the preservation of evidence in relation to the incident

       Escalation decisions

       Decisions regarding whether to Inform or not inform data subjects
        (patients, staff)

       Decisions regarding if it is necessary to invoke the NHSW & CSW „s
        disciplinary / contractual management processes etc with documentation
        of the reasons where it is decided not to take action where such action
        may be viewed as relevant by external parties

       Identification and management of the consequent risks of the incident
        (these may be IG-related or involve risks to patient safety, continuity of
        treatment etc.)

       Instituting formal documentation processes – this must incorporate version
        control and configuration management

       Maintaining an audit trail of events and evidence supporting decisions
        taken during the incident

       Counter-measures to prevent recurrence

       Identification of risks and issues that, whilst not „in scope‟ of the incident,
        are appropriate for separate follow-up and action

5.7. Evaluation of the Cause of the incident

5.8. It is important not only to investigate the causes of the breach but also to
     evaluate the effectiveness of the response to it. Clearly, if the SUI was caused,
     even in part, by systemic and ongoing problems, then simply containing the
     breach and continuing „business as usual‟ is not acceptable; similarly, if the
     response was hampered by inadequate policies or a lack of a clear allocation of
     responsibility then it is important to review and update these policies and lines
     responsibility in the light of experience.

5.9. Identify the manager who will responsible for the Root Cause Analysis
     investigation. Investigating Manager to undertake the following:

    Engage appropriate specialist help (IG, IT, Security, Records Management) if

    Carry out a Root Cause Analysis (RCA) and produce a report as per the
         NPSA‟s template using the Incident Decision Tree (NPSA tools are available
         on go to tools.

       Set target timescale for completing investigation and finalising reports

       Ensure conformance with HR rules of evidence, interviews, preservation of
        evidence, suspending staff, etc

       Document investigation and findings

       Ensure that RCA report content is reviewed with sources for accuracy

       Report reviewed by appropriate persons or appraisal group.

       Sign-off of report – Investigating Officer and CE if serious enough

       Send to the relevant persons and/ or committee.

       Identify lessons learnt

       Identify who is responsible for disseminating lessons learnt

6. Final Closure of the incident

   6.1. Close SUI – only when all aspects, including any disciplinary action taken
        against staff, are settled.

   6.2. Update STEIS

   6.3. Where the SUI has been escalated to DH Business Unit notify them, of the

   6.4. Log SUI details for incorporation in end of year reports by Accountable
       Officer (see Annex C)

   6.5. Publish on PCT website as appropriate

Unique SUI Reference:
Initial assessment of level of SUI (1-5):
Required                                                                                  Check
     01       Date, time and location of the incident
     02       Confirmation that DH guidelines for incident management are being
              followed and that disciplinary action will be invoked if appropriate
     03       Description of what happened: Theft, accidental loss, inappropriate
              disclosure, procedural failure etc.
     04       The number of patients/ staff (individual data subjects) data involved
              and/or the number of records
     05       The type of record or data involved and sensitivity
     06       The media (paper, electronic, tape) of the records
     07       If electronic media, whether encrypted or not
     08       Whether the SUI is in the public domain and whether the media (press
              etc.) are involved or there is a potential for media interest
     09       Whether the reputation of an individual, team, an organisation or the
              NHS as a whole is at risk and whether there are legal implications
     10       Whether the Information Commissioner has been or will be notified and
              if not why not
     11       Whether the data subjects have been or will be notified and if not why
     12       Whether the police have been involved
     13       Immediate action taken, including whether any staff have been
              suspended pending the results of the investigation
     14       Whether there are any consequent risks of the incident (e.g. patient
              safety, continuity of treatment etc.) and how these will be managed
     15       What steps have been or will be taken to recover records/data (if
     16       What lessons have been learned from the incident and how will
              recurrence be prevented
     17       Whether, and to what degree, any member of staff has been disciplined
              – if not appropriate why?
     18       Closure of SUI – only when all aspects, including any disciplinary action
              taken against staff, are settled.



Shared By: