This is a tier 2 IG documentation
Procedure for Reporting, Managing and
Investigating Information Governance
Serious Untoward Incidents v2.0
Job title of originator/author: Information Governance Manager
Date written: March 2009
Name of responsible committee/individual: Information Governance Steering Group/
Chief Operating Officer Community
Date first written August 2008
Equality Impact Assessment carried out N/A
and outcomes published (date):
Date first approved by Committee / Trust August 2008
Date reapproved by committee:* March 2009 by Information Governance
Date approved by PEC:*
Date approved by PCT Board:*
Date Policy is valid: March 2009
Next Review date: March 2011
Target audience: All staff
1.1. This procedure sets out steps and actions to be taken in the event an
Information Governance (IG) Serious Untoward Incident (SUI)
involving personally identifiable data (PID) occurs in the NHS
Wandsworth and Community Services Wandsworth (NHSW & CSW)
or any of their hosted organisations.
1.2. The definition of an IG SUI is:
Any incident involving the actual or potential loss of personal
information that could lead to identity fraud or have other significant
impact on individuals should be considered as serious.
The above definition applies irrespective of the media involved and
includes both loss of electronic media and paper records
1.3. This procedure is associated with and is a supplement to NHSW &
CSW‟s Significant Untowards Incident Policy, Risk Management
Strategy, Accident and Incident Reporting Processes and Whistle
2.1. The intention of NHSW & CSW is to ensure that all Information
Governance related SUI‟s that occur in the organisations are reported
and managed in a consistent and effective manner so as not minimise
the risk of harm to individuals and the PCT.
The management of IG SUIs conforms to the processes and
procedures set out for managing all Serious Untoward Incidents
There is a consistent approach to evaluating IG SUIs;
Early reports of IG SUIs are sufficient to decide appropriate
escalation, notification and communication to interested parties;
Appropriate action is taken to prevent damage to patients, staff and
the reputation of the NHS;
All aspects of a SUI are fully explored and „lessons learned‟ are
identified and communicated; and • appropriate corrective action is
taken to prevent recurrence.
3.1. This procedure applies to all IG incidents. This procedure should be
used by all staff involved in reporting and responding to any IG SUI.
4.1. The Chief Operating Officer of the Community Services Wandsworth in her
capacity as the Senior Information Risk Owner (SIRO) for NHS Wandsworth
will act as the lead Very Senior Manager (VSM) for IG SUI‟s.
4.2. In the absence of the SIRO, the Caldicott Guardian of the PCT will fulfil lead
officer responsibilities for IG SUI incidents.
4.3. In the absence of both the SIRO and Caldicott Guardian, the on call Director
will fulfil lead officer responsibilities
The Information Governance Manager, will be responsible for the
classification, privacy impact assessment of IG SUI issues, assurance
of compliance with NHS IG reporting requirement and action planning
for the resolution of IG SUI‟s
The Head of Communications will be responsible for the developing
and managing communications actions in response to IG SUI‟s and
communications with external parties
Managers are responsible for local investigation and implementation
of local action plans in relation to the IG SUI and ensuring that this
procedure is followed in the management of IG SUI‟s.
5. Procedure for IG SUI management
5.1. A IG related SUI can happen because of a number of reasons:
Loss or theft of data or equipment on which data is stored
Inappropriate access controls allowing unauthorised use
Unforeseen circumstances such as a fire or flood
Blagging‟ offences where information is obtained by deceiving the
organisation who holds it.
5.2. An IG related SUI can have significant implications such as ID fraud,
stress, damage to reputation for various parties such as the staff involved
and line management staff, individuals whose data is involved and NHSW
5.3. However an Information Governance related SUI occurs, the five
core steps are as follows: important elements to any managing the
response to the SUI:
5.4. Recovery and Preservation of evidence
Institute efforts to try to recover the data involved in the incident
Institute formal documentation processes – this must incorporate
version control and configuration management
Maintain an audit trail of events and evidence supporting decisions
taken during the incident
Where it is suspected that an IG SUI has taken place, immediate
communication to the Senior Information Risk Owner, Caldicott
Guardian, Head of Communications, Information Governance
Manager,( key staff) must be made to ensure that they are in a position
to respond to enquiries from third parties and to avoid surprises. Early
information, no matter how brief, is better than full information that is
“Key staff” will then undertake the required communications with other
stakeholders such as Chief Executive, Directors, NHS London,
Department of Health (SHA), Information Commissioners Office etc.
Reporting to the SHA should be undertaken as soon as practically
possible (and no later than 24 hours of the incident during the working
week). Key staff will report the SUI, i.e. all incidents rated as 1 – 5, to
the SHA through the usual SUI process. “Key staff” should keep the
SHA informed of any significant developments in internal/external
investigations, as appropriate.
Reporting incidents – STEIS is to be used for reporting all IG SUIs and
an initial report should be made as soon as possible and no later than
24 hours of the incident or first becoming aware of the incident. Further
information will become available as the investigation takes place and
STEIS should be regularly updated as appropriate.
Only the Head of Communications or a representative of the Head of
Communications must institute press communications with external
stakeholders such as the Press. The communications team should
contact the SHA's Communications team immediately if there is the
possibility of adverse media coverage in order to agree a media
The Information Commissioner should be informed of all Category 3-5
incidents. The decision to inform any other bodies will also be taken,
dependent upon the circumstances of the incident, e.g. where this
involves risks to the personal safety of patients, the National Patient
Safety Agency (NPSA) may also need to be informed.
Consideration should always be given to informing patients when
person identifiable information about them has been lost or
inappropriately placed in the public domain. Where there is any risk of
identity theft it is strongly recommended that this done.
Appendix A sets out the contents of what should be included in
the STEIS report
5.6. Containment and Recovery - Managing the incident
5.6.1. Identify the local work area person who will be
responsible for managing the incident and coordinating
with the SIRO, IG Manager and Head of Communications
5.6.2. Assess the risks of harm to individuals:
What type of data is involved?
How sensitive is the data? Some data is sensitive because of its
very personal nature (health records) while other data types are
sensitive because of what might happen if it is misused (bank
Details of how the information was held: paper, memory stick, disc,
Details of any safeguards such as encryption that would mitigate
the risk if data has been lost or stolen
Details of the number of individuals whose information is at risk.
How many individuals‟ personal data are affected by the breach? It
is not necessarily the case that the bigger risks will accrue from the
loss of large amounts of data but is certainly an important
determining factor in the overall risk assessment
Who are the individuals whose data has been breached? Whether
they are staff, patients, clients or suppliers, for example, will to
some extent determine the level of risk posed by the breach and,
therefore, your actions in attempting to mitigate those risks
What kind of intent can be determined as leading to the SUI? E.g.
was it malicious, was it accidental? Intent gives an idea of the
potential for harm to individuals
What harm can come to those individuals? Are there risks to
physical safety or reputation, of financial loss or a combination of
these and other aspects of their life?
What has happened to the data? If data has been stolen, it could
be used for purposes which are harmful to the individuals to whom
the data relate; if it has been damaged, this poses a different type
and level of risk.
Regardless of what has happened to the data, what could the data
tell a third party about the individual?
Are there wider consequences to consider such as a risk to public
health or loss of public confidence in an important service you
Whether the individuals concerned should be informed or not?
Whether the information about SUI is in the public domain and the
extent of media interest and or publication
5.6.3. Assess the potential incident level
Risk assessment methods commonly categorise incidents
according to the likely consequences, with the most serious being
categorised as a 5, e.g. an incident should be categorised at the
highest level that applies when considering the characteristics and
risks of the incident.
Although the primary factors for assessing the severity level are the
numbers of individual data subjects affected, the potential for media
interest, and the potential for reputational damage, other factors
may indicate that a higher rating is warranted, for example the
potential for litigation or significant distress or damage to the data
subject(s). As more information becomes available, the SUI level
should be re-assessed.
Where the numbers of individuals that are potentially impacted by
an incident are unknown, a sensible view of the likely worst case
should inform the assessment of the SUI level. When more
accurate information is determined the level should be revised as
quickly as possible and all key bodies notified.
Where the level of likely media interest is initially assessed as
minor but this assessment changes due to circumstances (e.g. a
relevant FOI request or specific journalistic interest) the SUI level
should be revised as quickly as possible and all key bodies notified.
Note that informing data subjects is likely to put an incident into the
0 1 2 3 4 5
No significant Damage to an Damage to a Damage to a Damage to Damage to
reflection on individual‟s team‟s services an NHS
any individual reputation. reputation. reputation/ organisation‟ reputation/
or body s reputation/
Possible Some local Low key National
Media interest media media local media Local media media
very unlikely interest, e.g. interest that coverage. coverage. coverage.
celebrity may not go
Minor breach Potentially Serious Serious Serious Serious
of serious potential breach of breach with breach with
confidentiality. breach. breach & risk confidentialit either potential for
assessed y e.g. up to particular ID theft or
Only a single Less than 5 high e.g. 100 people sensitivity over 1000
individual people unencrypted affected e.g. sexual people
affected affected or risk clinical health affected
assessed as records lost. details, or up
low, e.g. files to 1000
were Up to 20 people
encrypted people affected
5.6.4. Prepare and implement documented incident response plan.
This may require input from specialists such as IT, HR, Governance,
and Communications and in some cases contact with external
stakeholders and suppliers.
5.6.5. The scope and content of the plan should cover the following
containment and recovery issues:
Identification of expected outcomes
Identification of stakeholders to be involved
Investigation of the incident
Action to ensure the preservation of evidence in relation to the incident
Decisions regarding whether to Inform or not inform data subjects
Decisions regarding if it is necessary to invoke the NHSW & CSW „s
disciplinary / contractual management processes etc with documentation
of the reasons where it is decided not to take action where such action
may be viewed as relevant by external parties
Identification and management of the consequent risks of the incident
(these may be IG-related or involve risks to patient safety, continuity of
Instituting formal documentation processes – this must incorporate version
control and configuration management
Maintaining an audit trail of events and evidence supporting decisions
taken during the incident
Counter-measures to prevent recurrence
Identification of risks and issues that, whilst not „in scope‟ of the incident,
are appropriate for separate follow-up and action
5.7. Evaluation of the Cause of the incident
5.8. It is important not only to investigate the causes of the breach but also to
evaluate the effectiveness of the response to it. Clearly, if the SUI was caused,
even in part, by systemic and ongoing problems, then simply containing the
breach and continuing „business as usual‟ is not acceptable; similarly, if the
response was hampered by inadequate policies or a lack of a clear allocation of
responsibility then it is important to review and update these policies and lines
responsibility in the light of experience.
5.9. Identify the manager who will responsible for the Root Cause Analysis
investigation. Investigating Manager to undertake the following:
Engage appropriate specialist help (IG, IT, Security, Records Management) if
Carry out a Root Cause Analysis (RCA) and produce a report as per the
NPSA‟s template using the Incident Decision Tree (NPSA tools are available
on www.npsa.nhs.uk go to tools.
Set target timescale for completing investigation and finalising reports
Ensure conformance with HR rules of evidence, interviews, preservation of
evidence, suspending staff, etc
Document investigation and findings
Ensure that RCA report content is reviewed with sources for accuracy
Report reviewed by appropriate persons or appraisal group.
Sign-off of report – Investigating Officer and CE if serious enough
Send to the relevant persons and/ or committee.
Identify lessons learnt
Identify who is responsible for disseminating lessons learnt
6. Final Closure of the incident
6.1. Close SUI – only when all aspects, including any disciplinary action taken
against staff, are settled.
6.2. Update STEIS
6.3. Where the SUI has been escalated to DH Business Unit notify them, of the
6.4. Log SUI details for incorporation in end of year reports by Accountable
Officer (see Annex C)
6.5. Publish on PCT website as appropriate
Unique SUI Reference:
Initial assessment of level of SUI (1-5):
01 Date, time and location of the incident
02 Confirmation that DH guidelines for incident management are being
followed and that disciplinary action will be invoked if appropriate
03 Description of what happened: Theft, accidental loss, inappropriate
disclosure, procedural failure etc.
04 The number of patients/ staff (individual data subjects) data involved
and/or the number of records
05 The type of record or data involved and sensitivity
06 The media (paper, electronic, tape) of the records
07 If electronic media, whether encrypted or not
08 Whether the SUI is in the public domain and whether the media (press
etc.) are involved or there is a potential for media interest
09 Whether the reputation of an individual, team, an organisation or the
NHS as a whole is at risk and whether there are legal implications
10 Whether the Information Commissioner has been or will be notified and
if not why not
11 Whether the data subjects have been or will be notified and if not why
12 Whether the police have been involved
13 Immediate action taken, including whether any staff have been
suspended pending the results of the investigation
14 Whether there are any consequent risks of the incident (e.g. patient
safety, continuity of treatment etc.) and how these will be managed
15 What steps have been or will be taken to recover records/data (if
16 What lessons have been learned from the incident and how will
recurrence be prevented
17 Whether, and to what degree, any member of staff has been disciplined
– if not appropriate why?
18 Closure of SUI – only when all aspects, including any disciplinary action
taken against staff, are settled.
IG SUI STEIS REPORTING GUIDELEINES