Docstoc

PROCEDURE FOR REPORTING A BREACH OR POTENTIAL BREACH OF DATA SECURITY

Document Sample
PROCEDURE FOR REPORTING A BREACH OR POTENTIAL BREACH OF DATA SECURITY Powered By Docstoc
					    PROCEDURE FOR REPORTING A BREACH OR
      POTENTIAL BREACH OF DATA SECURITY
DATE APPROVED:

APPROVED BY:

IMPLEMENTATION DATE:

REVIEW DATE:

LEAD DIRECTOR:

IMPACT ASSESSMENT STATEMENT:                   NO ADVERSE IMPACT ON EQUALITY
                                               OR DIVERSITY




 Reference Number:   IM&T - PROCEDURE - 008




Issue Date       Issued By   Records Manager   Document No
Revision         Authority                     Page          1 of 20
                   WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
             BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


Change Control:

Document Number                        IM&T – Procedure - 008
Document                               Breach or Potential Breach of Data
                                       Security or Data Loss
Version
Owner
Distribution list                      All
Issue Date                             October 2008
Next Review Date
File Reference                         PRO - 008
Author                                 Records Manager


Change History:

Date         Change                   Authorised by
Aug 08       Draft
Sept 08      Sent to Executive Team   Approved
             for approval
Mar 09       Document re-numbered from GOV-IM&T-008
May 2009     Sent for Approval        IG Committee
Dec 09       Amendments               Records Manager




Issue Date          Issued By   Records Manager   Document No
Revision            Authority                     Page          2 of 20
                         WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                   BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS



CONTENTS

1       Introduction .................................................................................................................4
2       Scope..........................................................................................................................4
3       Relevant Procedures/Policies .....................................................................................4
4       Definitions ...................................................................................................................4
5       Person Identifiable Data..............................................................................................4
6       Serious Untoward Incident (SUI).................................................................................5
7       What Events/Incidents should be reported? ...............................................................5
8       To Whom Should an Event/Incident be reported? ......................................................6
9       Should the Incident be reported to the Police .............................................................6
10       When Should the Event/Incident be reported? ..........................................................6
11       How should the Event/Incident be reported? .............................................................6
12       Volunteers..................................................................................................................7
13      Will Disciplinary Action be taken against the individual concerned? ...........................8
14       Retention Period ........................................................................................................8

Appendix 1...........................................................................................................................1
Action card 1 for Person losing the data ..............................................................................1
Action card 2 for Person losing the data ..............................................................................1
Action card 3 for Senior Officer of the Dept or Line Manager ..............................................2
Appendix 3...........................................................................................................................3
Action Card 4 for the Information Governance Department .................................................3
Action Card 5 for Silver on Call dealing with Data Loss out of Office Hours ........................3
Checklist for Assessing SUI Score ......................................................................................5
SUI Score ............................................................................................................................6
Appendix 7...........................................................................................................................7
Examples of what data issues can and cannot wait.............................................................7
Appendix 8...........................................................................................................................8
CHECKLIST FOR DEALING WITH DATA SECURITY BREACHES ...................................8
Appendix 9...........................................................................................................................9
Form 1a ...............................................................................................................................9
CHECKLIST FOR DEALING WITH DATA SECURITY BREACHES ...................................9
Assessing the Risks...........................................................................................................10
Appendix 11.......................................................................................................................11
Assessment of SUI Risk ....................................................................................................11
Appendix 12.......................................................................................................................12
Form 1c..............................................................................................................................12
Notifying those concerned .................................................................................................12
Appendix 13.......................................................................................................................13
Form 1d .............................................................................................................................13
Evaluation and response ...................................................................................................13




Issue Date                      Issued By     Records Manager         Document No
Revision                        Authority                             Page             3 of 20
                         WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                   BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


             1     Introduction

                    1.1    As a Trust, we are required to take extreme care of any personal data that
                           we hold and ensure its safety at all times.

                    1.2    This procedure is intended to deal with breaches of Data Security or Data
                           Loss in a consistent manner.

                    1.3    It can also be used to report any potential breaches in data security.

             2     Scope

                    2.1    This procedure applies to every employee volunteer or agent of the Trust.

             3     Relevant Procedures/Policies

                    3.1    This procedure must be read in conjunction with all relevant Trust policies
                           including:

                                           • Release of Patient Identifiable Information
                                           • Trust Incident Reporting Policy
                                           Information Governance Policy
                                           • Records Management Policy
                                           • Code of Confidentiality
                                        [This list is not exhaustive]
             4     Definitions

                   4.1     Incident

                           4.1.1        An event that has a high probability of compromising business
                                        operations or other information security impacts

                   4.2     Weakness

                           4.1.2        The potential for an incident to occur, that was previously unknown
                                        or not considered during a risk analysis.
                           4.1.3        An example of a weakness is a change of building use results in the
                                        potential for new threats.




       5         Person Identifiable Data
       One or more of the pieces                   combined with          Information about that
Issue Date                  Issued By     Records Manager   Document No
Revision                    Authority                       Page          4 of 20
                       WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                 BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


       of information which can                                            individual whose release is
       be used along with public                                           likely to cause harm or distress
       domain information to
       identify an individual
       Name / addresses (home                                              Sensitive personal data as defined
       or business or both) /                                              by s2 of the Data protection Act,
       postcode / email / telephone                                        including records relating to the
       numbers / driving licence                                           criminal justice system, and group
       number / date of birth                                              membership
       Car registrations.                                                  DNA or finger prints / bank,
                                                                           financial or credit card details /
       Audio recordings
                                                                           mother’s maiden name / National
       Photographs                                                         Insurance number / Tax, benefit or
                                                                           pension records / health records /
                                                                           employment record / school
       (Note that driving licence                                          attendance or records / material
       number is included in this                                          relating to social services including
       list because it directly yields                                     child protection and housing
       date of birth and first part of
       surname)


                  5.1    These are not exhaustive lists. Departments should determine whether
                         other information they hold should be included in either category.

             6   Serious Untoward Incident (SUI)

                  6.1    A Serious Untoward incident is something out of the ordinary or unexpected
                         which is likely to cause damage to the NHS and attract media, ministerial or
                         public attention.

                  6.2    Any incident involving the loss of personal medical information or personal
                         identifiable data or site sensitive data that could lead to identity fraud or have
                         other significant impact on individuals should be considered as serious.

             7   What Events/Incidents should be reported?

                  7.1    Any event that could potentially compromise the security of personal data
                         such as

                                           •   Theft of a laptop
                                           •   Loss of mobile phones, flash drives etc.
                                           •   Unauthorised disclosure of Personal Information
                                           •   Loss of Patient Report Forms
                                           •   Loss of Personal Files
                                           •   Non arrival of sensitive information
                                           •   Loss of a smartcard
                                           •   Maintenance of unsecured databases
                                           •   Loss of site sensitive information
                                           •   Inappropriate use of the Internet.

                                        The above list is not exhaustive
Issue Date                  Issued By     Records Manager    Document No
Revision                    Authority                        Page          5 of 20
                        WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                  BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS




             8   To Whom Should an Event/Incident be reported?

                   8.1   There are a number of action cards attached to this procedure which details
                         to whom the breach should be reported and by whom:

                                         •    Procedure for the individual
                                         •    Procedure for the Senior Officer
                                         •    Procedure for the Information Governance Department
                                         •    Procedure for the Silver on Call

         9       Should the Incident be reported to the Police

                   9.1   This depends upon the circumstances of the loss. If it is reported to the
                         Police the name and the collar number of the Officer must be obtained and
                         recorded on the WMAS54. If the loss involves criminal activity a crime
                         number must also be obtained.

                   9.2   Examples of incidents that should be reported to the Police:

                                         •    If equipment (including paper records) containing sensitive
                                              information is taken in a burglary.
                                         •    If portable media device containing sensitive information is
                                              dropped in the street or is taken in a robbery.
                                         •    If paper records have been lost in the street check with the
                                              nearest Police Station that they have not been handed in.
                                         •    Loss of site sensitive Information
                                         •    If an individual is accessing inappropriate websites e.g. Child
                                              Pornography

                                      This above list is not an exhaustive list.

         10       When Should the Event/Incident be reported?

                  10.1   Immediately the data loss has been discovered. Do not delay reporting.

                  10.2   It is better to report the loss and find the data at a later stage than not report
                         the data loss at all.

                  10.3   If anyone is found to deliberately delay or hinder anyone in reporting the loss
                         of data to the Trust they may face disciplinary action.

         11       How should the Event/Incident be reported?

                  11.1   The Trust has a unified incident reporting procedure in WMAS54. The
                         sections must be completed as follows.

                         11.1.1 Section A tick box Security - Theft/Loss/Damage or if applicable
                                      ‘near miss’




Issue Date                Issued By      Records Manager    Document No
Revision                  Authority                         Page          6 of 20
                    WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
              BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


                     An example of a ‘near miss’ could be when some records blow out of an
                     ambulance into the street but everything is recovered immediately. These
                     need to be reported to the Records Manager for statistical purposes.

                     11.1.2 Sections B and C – are not applicable.
                     11.1.3 Section D must be completed giving details of the incident.
                     11.1.4 Section E Should be completed if equipment is involved e.g. ARP
                                  radio; Blackberry.
                     11.1.5       Section F Must be completed giving details of the loss
                     11.1.6       Section G Must state the names of anyone involved in the data
                                  loss e.g. the crew on duty at the time.
                     11.1.7       Section H- This should give the name of the first person in
                                  authority to which the data loss was reported.
                     11.1.8       Section I – should be completed after the event, after the
                                  investigation has taken place and in conjunction with the Corporate
                                  Services Directorate.

              11.2   The original WMAS54 must be sent to the locality Governance Safety and
                     Risk Manager. A copy of the form even if it only shows the basic detail must
                     be sent to the Information Governance Department without delay.

              11.3   If sending WMAS54 by e-mail it must be password protected. Please
                     telephone the intended recipient with the password.

              11.4   If sending by fax ensure someone has been in contact with the Information
                     Governance section and they will give you a fax number to send the WMAS
                     54.

              11.5   The rationale behind this is that urgent action can be taken to contain the
                     data loss e.g. contacting banks to warn that personal banking details of
                     individuals have been mislaid.

              11.6   In addition a SUI has to be reported as soon as possible to the Strategic
                     Health Authority and the more information available will determine the SUI
                     rating.

              11.7   Co-ordination of the investigation will be undertaken by the Information
                     Governance Department but a senior person within the Department
                     affected will be required to undertake any investigation at local level.
                     Advice and guidance throughout will be available from the Information
                     Governance Department.

         12   Volunteers

              12.1   Volunteers working for the Trust must notify their paid employee line
                     manager on a form M1 who will transfer the information onto a WMAS 54.

              12.2   Upon receipt/notification of a data loss the checklist will be completed by the
                     Information Governance Department.

              12.3   The relevant sections will be completed as the investigation progresses.



Issue Date            Issued By     Records Manager   Document No
Revision              Authority                       Page          7 of 20
                    WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
              BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


         13   Will Disciplinary Action be taken against the individual concerned?

              13.1   If the Reporting Officer suspects that the person has wilfully and/or
                     deliberately breached data security then Human Resources and the Local
                     Security Management Specialist [LSMS] must be informed without delay
                     with a view to considering disciplinary action being taken.

              13.2   Any volunteer suspected of breaching data security should be referred
                     without delay to the Regional Head of Community Response.

              13.3   If the volunteer is attached to a different part of the Trust (e.g. Midlands Air
                     Ambulance) the appropriate Director should be advised immediately.

              13.4   Should this occur, Information Governance Department should be told that
                     disciplinary action is being taken against the individuals concerned and a
                     summary of findings be given to them to keep with their records. If
                     necessary, the Regional Head of Information Governance can provide
                     technical advice on Governance issues associated with any disciplinary
                     action.

         14   Retention Period

              14.1   These checklists will be retained for 8 years which is in line with incident
                     forms.




Issue Date            Issued By   Records Manager   Document No
Revision              Authority                     Page          8 of 20
     Appendix 1
                                Action card 1 for Person losing the data

                      This must be done immediately the loss has been discovered

                                                  In Office Hours

                            Action                                                 Comments
1.     Check the immediate vicinity to ensure the data
       has not just been misplaced
2.     Inform the Senior Manager of the Department
       responsible for holding the data or your line
       manager.
3.     If appropriate inform the Police [see section 10]
4.     Write a statement outlining the circumstances
       of the loss and hand to the Senior Manager of
       the Department to whom the data belongs as
       soon as possible.
5.     Liaise with the Senior Manager of the
       Department in the progress of the investigation.

                                Action card 2 for Person losing the data

                      This must be done immediately the loss has been discovered

                                               Out of Office Hours
                                               Action                                          Comments
1.         Check the immediate vicinity to ensure the data has not just been misplaced
2.       Inform the Silver on Call for the locality outlining the circumstances of the loss.
3.                        If appropriate inform the Police [see section 10]
4.     Provide a written statement outlining the circumstances of the loss and hand to the
       Senior Manager of the Department to whom the data belongs or the Silver on call
                                        as soon as possible.
5.        Liaise with the Senior Manager of the Department and the Silver on call in the
                                   progress of the investigation.




     Issue Date              Issued By   Records Manager   Document No
     Revision                Authority                     Page          1 of 20
                          WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                    BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


     Appendix 2
                    Action card 3 for Senior Officer of the Dept or Line Manager

              This must be done immediately the loss is reported to you During Office Hours

      Action                                                                                  Comments
1.    Establish what data has been lost and the circumstances.
2.    If appropriate inform the Police either of the loss or asking if data has been handed
      in. [see section 10]
3.    Inform the Information Governance Department or in their absence Regional Head
      of Governance Safety and Risk
      If personal data loss is involved a telephone call and or e-mail must be made in
      addition to the Information Governance Department. Contact details are as follows:
      Telephone: 01384 246 465 or 01384 246 372 or 07837 423835 E-mail:
      data.protection@wmas.nhs.uk.
4.    If appropriate commence immediate search to try and find the missing data e.g. if it
      is PRFs that have been misplaced send someone to the area of the loss to see if
      they are still there.
5.    Complete WMAS54 sections A to H send copy to the Information Governance
      Department without delay [see section 9]
      Collect relevant statements and commence investigation, liaising with the
      Information Governance Department at all stages.
6.    Has this been a wilful or deliberate breach of data security? If so, consult Human
      Resources and Local Security Management Specialist [LSMS] for further advice.

7.    Consider how the individuals affected are told about the Data Loss. If in doubt
      seek advice from the Information Governance Department or a member of the
      Executive Team.
8.    For each person contacted keep a record of the outcome of the conversation and
      report back to the Information Governance Department as appropriate




     Issue Date             Issued By   Records Manager   Document No
     Revision               Authority                     Page          2 of 20
                          WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                    BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


      Appendix 3
                      Action Card 4 for the Information Governance Department

       Action                                                                                      Comments
 1.    Start checklist and complete as progress is made through the investigation.
 2.    Inform the Regional Head of Information Governance
 3.    If appropriate, inform the Regional Head of IT
 4.    Inform the Director of Corporate Services
 5.    If appropriate, inform the RA manager of the loss of smartcards
 6.    If appropriate, inform the Caldicott Guardian
 7.    Inform the Regional Head of Governance Safety and Risk
 8.    If appropriate, inform the Information Commissioner
 9.    Liaise with the Senior Manager in completing the checklist.
10.    Ensure all relevant staff are kept up to date with the progress of the investigation
11.    Ensure checklists are completed in a timely fashion.


      Appendix 4
          Action Card 5 for Silver on Call dealing with Data Loss out of Office Hours

       Action                                                                                      Comments
1.     Establish what data has been lost and the circumstances.
2.     If appropriate inform the Police either of the loss or asking if data has been handed in.
       [see section 10]
3.     If appropriate, instigate a search for the missing data.
4.     If appropriate, refer the matter higher up the on call chain of command
5.     If appropriate, contact the IT Staff on call
6.     If possible, identify the individuals whose records are missing but DO NOT attempt to
       contact them out of hours. Pass the information over to the Senior Officer of the
       affected Department at the first opportunity.
7.     Assess the level of SUI against the questions and the table on Action Card 6.
8.     If the SUI score is A1,A2,B1,B2,C1,C2,D1,D2
            • Send completed action card 6 to the Information Governance Department by
                fax on 01384 246318
            • Send Copy of partially completed WMAS54 to the Information Governance
                Department
            • Send original of WMAS54 and any other paperwork to the senior person in
                charge of the lost data.
       e-mail address data.protection@wmas.nhs.uk
       Any SUI falling into this category will be reported the next working day to the SHA.
9.     If the score falls in E1, F1, E2 or F2 a member of the Executive Team must be
       informed.
       They will report the SUI as per the out of hours SUI procedure and take any
       appropriate action.
       All paperwork must be sent to the Information Governance Department the next
       working day for reporting to the Information Commissioner.
10.    Important
       If the data loss involves someone who could present a ‘significant media
       interest’ e.g. a celebrity or their relatives then the Medical Officer on call should
       be notified as well as the Press Officer on call.

       In these circumstances, the score may be low but the Trusts reputation may be
       called into question.
      Issue Date              Issued By   Records Manager   Document No
      Revision                Authority                     Page          3 of 20
                         WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                   BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


       Action                                                                             Comments
11.    Start completion of WMAS54 passing over to the Senior Officer of the Department
       affected by the data loss at the earliest opportunity.
12.    Action card 7 gives some examples of what data losses or breaches can and cannot
       wait.
13.    Sources of advice out of hours include
           • Gold Commander
           • On call IT Officer
           • On call Medical Officer
           • On call Press Officer
           • EOC Duty Officer
           • On call Emergency Preparedness Officer
           • On call Director




      Issue Date            Issued By   Records Manager   Document No
      Revision              Authority                     Page          4 of 20
                          WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                    BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


      Appendix 5
                                               Action Card 6
                                    Checklist for Assessing SUI Score
                             Question                                              Answer
What type of data is involved?
How sensitive is it?
If the data has been lost or stolen, are there any protections
in place such as encryption?
What has happened to the data? If data has been lost or
stolen, it could be used for purposes which are harmful to the
individuals to whom the data relates.
If it has been damaged this poses a different type of
risk?
Regardless of what has happened to the data, what could the
data tell you about the individual? Sensitive data could mean
very little to an opportunistic laptop thief whilst apparently
trivial snippets of information could help a determined
fraudster build up a detailed picture of other people
How many individuals’ personal data are affected by the
breach?
Who are the individuals whose data has been breached? Are
they staff, patients, or suppliers?
What harm can come to these individuals?
Are there risks to physical safety and or reputation, of
financial loss or a combination of these and other aspects of
their life?
Are there wider consequences to consider such as a risk to
public health or loss of confidence in the Ambulance Service?
Does the loss involve banking details? If so, banks must be
informed immediately




      Issue Date             Issued By   Records Manager   Document No
      Revision               Authority                     Page          5 of 20
                          WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                    BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


    Appendix 6

    SUI Score

                                              Assessment of SUI Risk
            A               B                      C                     D                    E                  F
1     No            Damage to an         Damage to a team’s         Damage to        Damage to an       Damage to NHS
      significant   individual’s         reputation. Some           a services       organisations      reputation/National
      reflection    reputation.          local media interest       reputation/lo    reputation/Local   media coverage
      on the        Possible media       that may not go            w key local      Media coverage
      individual    interest e.g. a      public.                    media
      or Trust.     celebrity is                                    coverage
      Media         involved.
      Interest
      very
      unlikely
2     Minor         Potentially          Serious potential          Serious          Serious breach     Serious breach
      breach of     serious breach.      breach and risk            breach of        with either        with potential for
      confidentia   Less than 5          assessed as high           confidentiali    particular         ID theft or over
      lity. Only    people affected      e.g. unencrypted           ty e.g. up to    sensitivity e.g.   1000 people
      a single      or risk assessed     clinical records lost.     100 people       sexual health      affected.
      individual    as low e.g. files    Up to 20 people            affected.        details or up to
      affected.     were encrypted       affected.                                   1000 people
                                                                                     affected.




    Issue Date               Issued By    Records Manager         Document No
    Revision                 Authority                            Page          6 of 20
                    WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
              BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


Appendix 7

                                               Action Card
                    Examples of what data issues can and cannot wait.

     Can wait until the next working day                           Reported immediately
Loss of one persons records as long as they do        Loss of a disk/memory stick/flash drive
not pose a significant media interest.                containing over 100 personal records
Losses of site sensitive information as long as       Deliberate/wilful handover of more than 10
the Police have been informed. The relevant           records to an unauthorised source.
Director must be informed the next working day
of the loss.
Non arrival of sensitive data sent via registered     Very serious breach with potential for ID theft
courier                                               where over 100 people are affected.
Potential breach of data security as long as no       Suspected breach of a major computer system
one is at risk                                        e.g. a CAD

       This list is not exhaustive and each case must be
                     considered on its merits.

 IF IN DOUBT REFER TO THE GOLD COMMANDER FOR
                     ADVICE




Issue Date              Issued By   Records Manager    Document No
Revision                Authority                      Page          7 of 20
                    WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
              BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


                                                                           Appendix 8

             CHECKLIST FOR DEALING WITH DATA SECURITY BREACHES


Form 1a                     to be completed by Information Governance Department
                            immediately a loss has been notified

Form 1b                     Also replicated in action card 6 will be completed by the
                            Information Governance Department during office hours and
                            the Silver on Call out of office hours

Form 1c                     to be completed by the Information Governance Department in
                            conjunction with the Reporting Officer. This will be completed

Form 1d                     to be completed by the Information Governance Department in
                            conjunction with the reporting officer.




Issue Date           Issued By   Records Manager   Document No
Revision             Authority                     Page          8 of 20
                      WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


Appendix 9
                                            Form 1a
               CHECKLIST FOR DEALING WITH DATA SECURITY BREACHES
               This will be completed by the Information Governance Department
Locality:
       Department:

Date:                                                                                Staff
involved:

Brief description of data loss:

             Containment and Recovery                 Name of                 Comments       Date
                                                      person
                                                      checking
                                                      information
Verbal/e-mail notification received
WMAS54 received [state ref no]
Does it contain all the relevant information?
If no, who has been contacted for further
information?
Lead officer for Investigating the Breach
Additional Resources to be provided by
[Include here contact details]
Has the Director of Corporate Services been
informed of the breach?
By whom and how?
Does the Caldicott Guardian need to be
informed?
If so, by whom and how?
What is the role of the additional resources in
containing the breach? This could include:
     • Physically Looking for the files
     • Isolating or closing a compromised
         section of the network
     • Changing an access code
     • ‘Stopping’ access to devices
Have all listed above been notified?
If so by whom?
Have the Police been informed?
Has the Information Commissioner been
informed?
IG Reference Number




Issue Date              Issued By   Records Manager   Document No
Revision                Authority                     Page          9 of 20
                      WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


Appendix 10
Assessing the Risks

This will be completed during office hours by the Information Governance Department and outside
of office hours by Silver on Call.

Before going any further, it is necessary to assess the risks.

Some data security breaches will not lead to risks beyond possible inconvenience to those who
need the data to do their job. For example a laptop that has been irreparably damaged but its files
were backed up and can be recovered it albeit as some cost to the Trust. Whilst these types of
incidents can have significant consequences, the risks are very different from those posed for
example by the theft of a number of Patient Report Forms.

The most important factor is the assessment of potential adverse consequences for individuals,
how serious or substantial these are and how likely they are to happen.

Answering the following questions will help in making this assessment

                       Question                                 Answer              SUI Score
What type of data is involved?
How sensitive is it?
If the data has been lost or stolen, are there any
protections in place such as encryption?

What has happened to the data? If data has been
lost or stolen, it could be used for purposes which are
harmful to the individuals to whom the data relates.
If it has been damaged this poses a different type
of risk?
Regardless of what has happened to the data, what
could the data tell you about the individual? Sensitive
data could mean very little to an opportunistic laptop
thief whilst apparently trivial snippets of information
could help a determined fraudster build up a detailed
picture of other people
How many individuals’ personal data are affected by
the breach?
Who are the individuals whose data has been
breached? Are they staff, patients, or suppliers?

The answers to the above to questions will determine
the level of risk posed by the breach.
What harm can come to these individuals?
Are there risks to physical safety and or reputation, of
financial loss or a combination of these and other
aspects of their life?
Are there wider consequences to consider such as a
risk to public health or loss of confidence in the
Ambulance Service?
Does the loss involve banking details? If so, banks
must be informed immediately

Overall SUI Score
Once the above information has been assessed, it is necessary to assess the level of SUI
that needs to be reported to the Strategic Health Authority.

Issue Date                Issued By   Records Manager      Document No
Revision                  Authority                        Page          10 of 20
                               WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
                         BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS




     Appendix 11
                                                  Assessment of SUI Risk

            A                       B                    C                    D                          E                        F
1 No significant          Damage to an           Damage to a         Damage to a             Damage to an              Damage to NHS
  reflection on the       individual’s           team’s              services                organisations             reputation/National
  individual or Trust.    reputation.            reputation.         reputation/low key      reputation/Local Media    media coverage
  Media Interest          Possible media         Some local          local media             coverage
  very unlikely           interest e.g. a        media interest      coverage
                          celebrity is           that may not go
                          involved.              public.

2 Minor breach of         Potentially serious    Serious potential   Serious breach of       Serious breach with       Serious breach with
  confidentiality.        breach. Less than      breach and risk     confidentiality e.g.    either particular         potential for ID theft
  Only a single           5 people affected      assessed as         up to 100 people        sensitivity e.g. sexual   over 1000 people
  individual affected.    or risk assessed as    high                affected.               health details or up to   affected.
                          low e.g. files were    e.g. unencrypted                            1000 people affected.
                          encrypted              clinical records
                                                 lost. Up to 20
                                                 people affected.


     Using row/column format

     Any incidents categorised A1, A2 [SUI Score 0]
     Will be reported at Trust level – there is no need for these to be reported any higher.

     Any Incident categorised B1, B2, C1, C2 [SUI Score 1 & 2]
     Will be reported to the SHA as a SUI and possibly the Information Commissioner

     Any incident categorised D1, D2, E1, E2, F1, F2 [SUI Score 3, 4 & 5]

     will be reported to the Information Commissioner as routine by the Corporate Services Directorate.
     Other agencies may need to be informed e.g. National Patient Safety Agency, Healthcare
     Professions Council.

     Please note the SHA will notify the Department of Health of any breaches if D1, E1, or F1 apply,
     the Department of Health and the Ministerial Briefing Unit if any of the risks in D2, E2, or F2 apply

     Level of SUI Risk Reported to the Regional Head of Governance Safety and Risk by
     on              Reference Number




     Issue Date                   Issued By     Records Manager       Document No
     Revision                     Authority                           Page             11 of 20
                     WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
               BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


                                                                                         Appendix 12

                                              Form 1c
                                     Notifying those concerned

This will be completed by the Information Governance Department in conjunction with the reporting
officer

Consider:
    • Number of people involved
    • Type of data loss.
                          Question                                                   Answer
Can notification help the Trust meet our security
obligations with regard to the seventh data protection
principle *
Can notification help the individual? Bearing in mind
the potential effects of the breach, could individuals act
on the information you provide to mitigate the risks e.g.
cancelling a credit card or changing a password.
Are vulnerable groups involved? If so, consider how
they should be informed.
Consider the dangers of ‘over notifying’ Not every
incident will warrant notification and notifying a 2 million
strong patient database of an issue only affecting 2000
patients may well cause disproportionate enquiries and
work.

* The seventh data protection principle
Appropriate technical and organisational shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or destruction of, or damage to, personal
data.



             Question                                  Answers                    Name of person         Date
                                                                                  checking information
 How have the people affected
been informed of the data loss?
 Who has informed them of the
             data loss?
     Following contact with the
affected individuals, is there any
   further action required? e.g.
 letter of explanation, personal
                visit.
    If appropriate has a further
     follow up been arranged?




Issue Date               Issued By   Records Manager     Document No
Revision                 Authority                       Page          12 of 20
                    WEST MIDLANDS AMBULANCE SERVICE NHS TRUST
              BREACH OR POTENTIAL BREACH OF DATA SECURITY OR DATA LOSS


                                                                                 Appendix 13

                                             Form 1d
                                     Evaluation and response

‘Business as usual’ is not an option.

All data losses must be evaluated and any weaknesses in policies or procedures identified
amended accordingly.

Do the individuals concerned require additional training?

Actions Taken                       By whom                              Date




Reported to the HSR Committee on                                       by



Any further actions required:


Actions required                     By whom                             Date




Issue Date              Issued By   Records Manager   Document No
Revision                Authority                     Page          13 of 20

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:50
posted:2/9/2011
language:English
pages:21