Department of Health checklist provides guidance on data security breach management

Updated March 2010

The Department of Health has recently published a checklist on reporting, managing and investigating 'Information Governance Serious Untoward Incidents' (IG SUIs).

The checklist is intended to supplement existing guidance and encourage a more consistent approach towards evaluation of incidents where personal data has been lost.

This comes shortly after the Information Commissioners Office (ICO) reprimanded Southampton University Hospital Trust for a breach of the Data Protection Act 1998 (DPA), following the theft of an unencrypted laptop from an unattended vehicle which contained sensitive information about patients.

The checklist is aimed at incidents involving an unauthorised disclosure of personally identifiable data by NHS bodies. However, it is a timely reminder that all organisations that handle personal data should be reviewing their data protection policies prior to the introduction of new powers for the ICO to administer fines of up to £500,000 for serious breaches of the DPA.

The checklist defines IG SUIs as any incident involving the actual or potential loss of personal information that could lead to identity fraud, or have other significant impact on individuals that could be considered serious.

The checklist recommends a four-stage process involving initial reporting, managing, investigating and final reporting of the IG SUI. It also identifies a number of practical steps that should be taken at each stage in order to limit the damage caused by a breach.

Key points to emerge include the need to ensure that:

• a consistent approach is taken to evaluating potential breaches of the DPA;
• incidents and ‘near misses’ are reported early to a nominated officer so that appropriate steps can be taken in terms of escalation, notification and communication to interested parties;
• all aspects of an incident are investigated fully and lessons learned are identified and communicated;
• appropriate corrective action is taken to prevent similar incidents in future.

All businesses might find it useful to refer to the approach recommended by the checklist when considering their own procedures. It is advisable that all organisations have an incident response plan and all staff should know to whom they should report and escalate suspected or actual IG SUIs.

Comment

The DPA imposes broad obligations on those businesses, professionals and government departments established in the UK who are responsible for processing personal data (data controllers). From 6 April 2010, the Information Commissioner will be given enhanced powers to impose financial penalties of up to £500,000 for serious breaches of the DPA. Data controllers in both public and private sectors should review their practices and systems if they wish to avoid the maximum fine.

Having an appropriate and effective incident response plan in place is an important tool for mitigating the consequences of breaches and preventing similar breaches occurring in the future.

Should you require any advice on how to develop incident response plans, manage data breaches or in relation to data protection issues generally, please contact a member of TLT's Data Protection and Privacy team.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2010. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.