Information security is the responsibility of each individual local health and care organisation, from GP practices to hospital trusts.
Ensuring health and care data is protected and used safely is a priority for the NHS. There are several safeguards in place to ensure that data is used across the health and care system in a safe, secure and legal way.
You are required by law to protect the personal or confidential patient information you use when providing care. This means ensuring it is only accessed by those that need it, providing only information required for that purpose, and ensuring you have consent or another legal basis to share the information.
What is a personal data breach?
There may be occasions when things go wrong. A personal data breach means an accidental or deliberate breach of security which leads to:
The loss or unlawful destruction of data
This could include, for example, an unencrypted memory stick containing health and care data is lost.
Alteration of data
This could include a staff member (or hacker) maliciously changes something in a patient or service user record. For example, deliberately changing a medication dosage from milligrams (mg) to grams (g).
Unauthorised disclosure
This could include an email containing information about a patient being sent to the wrong email address.
Unauthorised access
This could include looking at more information than necessary on a patient or service user, or knowingly requesting (and obtaining) access to information that is not relevant to your role. For example, a geriatrician requesting access to paediatric systems or records.
What to do if you think there has been a data breach
If you become aware of a personal data breach, you should follow your organisation’s procedure for reporting a data breach. Usually, this is in your IG policy, and will require you to report the incident via the incident reporting process in your organisation or tell your Data Protection Officer (DPO) if you are unsure what to do.
You should report a data breach as soon as you become aware of it via your organisation’s incident reporting process. Your report should set out what has happened and any steps you have taken in response to the breach. For example, "email containing the name, DOB and NHS number of a patient sent to the wrong Jane Smith on 5 March. Recalled the email and asked the recipient to delete it and they have confirmed this." You should contribute to any investigation carried out.
If you are not sure if a breach has occurred, you should still report the breach via your organisation’s incident reporting system. You should also consider reporting "near miss" data breaches. A near miss is where a breach could have occurred if an incident had developed or been left. An example is leaving patient records unsecured in a main hospital corridor used by the public. Reporting near misses helps your organisation consider changes to ensure that information is kept secure.
Information:
Example
A community nurse’s car is broken into and his laptop is stolen. He uses the laptop to access a spreadsheet containing the personal data of his patients. The spreadsheet is encrypted and stored on the network drive. The community nurse reports the theft via his organisation’s incident reporting procedure, so that the IG team can decide upon next steps.
