There are three different types of personal data breach.
Confidentiality breach
A confidentiality breach is where there is an unauthorised or accidental disclosure of, or access to, personal data.
Examples include:
Personal data of 500 survey respondents are sent by email to the wrong supplier
Unencrypted portable devices containing dataset extracts, which include details of hospital admissions are stolen from a research office
An IT services firm has been contracted as a processor to archive and store customer records. The IT firm detects an attack on its network that results in personal data about customers being unlawfully accessed
An employee file containing references and sickness records is left on public transport
Integrity
breach
An integrity breach is where there is an unauthorised or accidental alteration of personal data.
Examples include:
An authorised user of a system modifies the profiles and access controls of other users without permission
An analyst with authorised access to a dataset containing personal data makes additional copies of the dataset without applying robust version control procedures
Availability
breach
An availability breach is where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
Examples include:
The decryption key to securely encrypted personal data has been lost rendering the data unavailable until it is restored from a backup
An operating system vulnerability is exploited by a ransomware attack, which results in personal data being encrypted for several days until the issue is resolved
Digital and Non-digital Incidents
This component displays an image gallery with accompanying text. Use the next and back navigation controls to work through the narrative.
The ICO has provided further guidance on the types of incident, which may involve a breach of personal data.
Digital
Brute force
Cryptographic flaw
Denial of service
Hardware/software misconfiguration
Malware
Phishing
Ransomware
Unauthorised access
Alteration of personal data
Data emailed to the incorrect recipient
Data of wrong data subject shown in client portal
Failure to redact
Failure to use bcc
Incorrect disposal of hardware
Non-digital
Alteration of personal data
Data posted or faxed to the incorrect recipient
Failure to redact
Incorrect disposal of paperwork
Loss/theft of paperwork or data left in an insecure location
Verbal disclosure of personal data
Imagine the risk involved in making an important decision about a person’s care if his or her record was no longer available, was wrong or incomplete or if someone had tampered with it. Security incidents can lead to serious personal data breaches which can impact the care and treatment patients receive.
Imagine a patient's care being adversely affected by the either the lack of availability or alteration of a connected medical device.
Reporting Incidents
Your role is to report concerns or details of a security incident as soon as you become aware of it. Your organisation should have an incident reporting procedure setting out what staff members should do on discovering a security incident or suspecting one has occurred.
You have a responsibility to familiarise yourself with your organisation’s incident reporting procedure and to know who to report data security incidents to.
· If you have concerns or become aware of a data security incident – report it. Do not assume that it is somebody else’s responsibility to report the incident – we all have a role to play in protecting patient and staff information
· Your organisation will have an individual or team whose responsibility it is to manage and investigate an incident
· Near misses, where information was nearly lost or where someone attempted to access information should also be reported
· Know your organisation’s policy regarding the safe and acceptable use of IT
GDPR
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority (the ICO). Your organisation will have a representative or team responsible for doing this and it must be done within 72 hours of becoming aware of the breach, where feasible. There are very similar tight timescales for cyber incidents.
It is very important that you escalate any concerns very quickly and in accordance with the relevant corporate policies and procedures.
POSTAL BREACHES
Certain procedures can help to reduce the risk of data breaches when sending information by post, email, telephone and fax.
Consider the different ways in which breaches and incidents can be avoided by remaining vigilant and aware of your personal responsibility.
Miss Broom is waiting to receive information from her social worker. She opens her post one morning and finds that, as well as her own letter, the envelope contains two further letters addressed to other people.
Miss Broom contacts the organisation and tells an administrative officer about the letters.
The organisation's IG lead telephones Miss Broom to apologise for the error and asks her to keep the letters safe while arrangements are made for someone to collect them.
The organisation writes a formal apology to Miss Broom and to the two individuals about whom she received letters.
Both individuals were deeply concerned that Miss Broom, who they did not know, now knew important information about them. One of them wrote to their local paper about the breach.
Senior staff in the local authority spent the next two weeks responding to media queries about the number of breaches that the organisation had experienced.
The other individual, who had suffered from a similar breach the previous year, instructed his solicitor to bring legal proceedings against the local authority
Make sure that all correspondence containing personal information is always addressed to a named person, not to a department, a unit or an organisation.
If the information contained in a letter includes more than basic clinical information, for example, appointment details, consider sending it by recorded or tracked delivery.
Recorded delivery
Consider using tracked or recorded delivery for personal information. Take special care when sending large amounts of personal information, for example, case notes or care records on paper, encrypted disk or other media.
Send these by tracked or recorded post or by NHS courier to ensure that such information is only seen by the authorised recipients. In some circumstances, you should obtain a receipt as proof of delivery, for example, when sending care records to a solicitor.
Approved packing
Only send case notes and other bulky material in robust, approved packaging - never in dustbin sacks, carrier bags or other containers.
Don’t leave the containers unattended unless they are securely stored, waiting for collection.
Make certain that the containers are taken and transported by the approved carrier
EMAIL BREACHES
Your organisation will have guidance on sending secure emails.
Email is increasingly becoming the preferred vehicle for exchanging information, but as with other forms of communication, there are risks.
Mr Foster has recently been diagnosed with depression and has joined a support group to help him through this care.
He has just received his monthly email and noticed the names and email addresses of more than 500 people.
The staff member had mistakenly put the list of all the support group members' email addresses in the CC field rather than the BCC field of the email.
The organisation undertakes an investigation and finds that a new member of staff had sent out the email.
The staff member had mistakenly put the list of the support group members' email addresses in the CC field rather than the BCC field of the email.
Everyone who received the email could identify who was a member of the depression support group.
The investigations found that all existing staff members involved in sending out emails knew what to do but had not supervised the new member of staff.
5 Rules of email sending
Check with your line manager whether it is acceptable to send personal information in this way.
Confirm the accuracy of the email addresses for all intended recipients, sending test emails if you are unsure.
Check that everyone on the copy list has a genuine ‘need to know’ the information you are to send.
Emails sent to and from health and social care organisations must meet the secure email standard (DCB1596) so that everyone can be sure that sensitive and confidential information is kept secure.
If you are unsure of what to do, ask your line manager, ICT department or provider for advice.
Where an email needs to be sent to an unsecured email address, check whether this is at the request of a service user who understands and accepts the risks.
Consider whether it would be more appropriate to encrypt the email yourself.
Video Conference/Telephone Breaches
Joe, a practice manager, receives a call from a local hospital requesting information about Mrs Smith, one of the practice patients.
He knows that she has been referred to that hospital for cancer investigation, so he gives the information to the caller.
Joe should not give patient information over the phone without first checking the identity of the caller and whether they have a valid reason to request it. Joe had no proof that the previous day’s call was from the local hospital.
The next morning, Mrs Smith phones the practice and tells Joe that her brother-in-law has information about her health that he can only have obtained from the practice. At that point, Joe realises that he had no proof that the previous day’s call was from the local hospital.
If a request for information is made by phone you should, where possible, adhere to the following processes and procedures.
Confirm the name, job title, department and organisation of the person requesting the information
Confirm that the reason for the information request is appropriate
Take a contact telephone number. For example, the main switchboard number – never a direct line or mobile phone number so that you can phone back and confirm that the caller is genuine
Check whether the information can be provided – if in doubt, tell the person you will call them back
Only provide the information to the person who requested it. Do not leave messages
Ensure that you record your name, the reason for the disclosure and who authorised the disclosure in the patient/service user’s record. Make sure you also record the recipient’s name, job title, organisation and telephone number
Data Security Risks
Last week, someone in a high-visibility vest visited a social care office as well as a GP practice in the same local area. In each case, he followed a member of staff into the building and told the receptionist that he needed everyone's details for a 'software update'.
The person then sold these details to other criminals. Let’s find out what else he found.
Doors
Nearly every door the visitor encounters is open. Even those doors marked as ‘restricted access’ have been propped open to allow for a delivery.
This means he is able to wander freely in and out without challenge, and could have stolen equipment or personal items belonging to staff.
Visitors
The visitor has forged a badge. He approaches the reception desk and asks for directions to the server room. They are happy to help. His badge isn’t even checked.
With access to the server room, he can disrupt the server as much as he likes, causing connectivity problems across the whole organisation.
Desks
Despite most organisations having strict clear desk policies, a lot of data is found in unoccupied office areas. Financial documents, including client account details, are lying on desks.
The visitor has a bag of memory sticks and randomly disperses them on desks in the hope that someone will plug one in. It will then start installing malware onto the computer.