26
Incident Policy Practice Guidance Note Information Governance Incident Reporting Management V04 How to Report and Manage an Information Governance Incident Date Issued Planned Review PGN No: Issue 1 April 2016 Issue 2 Sep 2017 April 2019 IP-PGN-11 Part of NTW(O)05 - Incident Policy Author / Designation Julie Burns Information Governance and Compliance Lead Responsible Officer / Designation Lisa Quinn Executive Director of Performance and Assurance Contents Section Description Page No. 1 Introduction 1 2 Identifying Information Governance Incidents 1 3 Flowchart showing Information Governance Incident Reporting and Review Process during Normal Working Hours 2 4 Reporting of Information Governance Incidents 3 5 Information Governance Incidents where further Investigation is required 3 6 Incident Management Group 5 7 Rating of Information Governance Serious Incidents 6 8 Information Governance Incidents rated Level 2 and above 7 9 Information Governance incidents rated Level 1 and below 7

P -PGN 1 - ntw.nhs.uk · Appendices – listed separate to PGN Appendix 1 Monitoring Tool 9 Appendix 2 Serious Incidents Requiring Investigation – Breach Types Defined

  • Upload
    vantruc

  • View
    222

  • Download
    0

Embed Size (px)

Citation preview

Incident Policy Practice Guidance Note

Information Governance Incident Reporting Management – V04

How to Report and Manage an Information Governance Incident

Date Issued Planned Review PGN No:

Issue 1 – April 2016

Issue 2 – Sep 2017

April 2019 IP-PGN-11 Part of NTW(O)05 - Incident Policy

Author / Designation Julie Burns – Information Governance and Compliance Lead

Responsible Officer / Designation

Lisa Quinn – Executive Director of Performance and Assurance

Contents

Section Description Page No.

1 Introduction 1

2 Identifying Information Governance Incidents 1

3 Flowchart showing Information Governance Incident Reporting and Review Process during Normal Working Hours

2

4 Reporting of Information Governance Incidents 3

5 Information Governance Incidents where further Investigation is required

3

6 Incident Management Group 5

7 Rating of Information Governance Serious Incidents 6

8 Information Governance Incidents rated Level 2 and above 7

9 Information Governance incidents rated Level 1 and below 7

Appendices – listed separate to PGN

Appendix 1 Monitoring Tool 9

Appendix 2 Serious Incidents Requiring Investigation – Breach Types Defined

10

Appendix 3 Template for Non-clinical Incidents Serious Incident Review Report

14

Appendix 4 Proforma Template for Assessing the Severity of Information Governance Incidents

19

Appendix 5 Serious Incident Review Action Plan Template 21

Appendix 6 Level 2 / Level 1 Information Governance Serious Incidents Requiring Investigation Annual Reporting Template

23

Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – How to Report and Manage an Information Governance Incident – V04 – Issue 2 – Sep 2017 NTW(O)05 – Incident Policy – V04 – April 2016

1

1 Introduction

1.1 All Health, Public Health and Adult Social Care services must ensure that all Information Governance Serious Incidents Requiring Investigation (IG SIRI’s) are reported and handled effectively.

1.2 From 1st June, 2013 the organisations which process health and adult social

care personal data are required to grade all Information Governance Serious Incidents Requiring Investigations using the criteria implemented by the HSCIC. All Information Governance Serious Incidents Requiring Investigations graded Level 2 and above must be reported through the Information Governance Toolkit Incident Reporting Tool. This information will then be accessed by Department of Health, Information Commissioners Office and other regulators.

1.3 To assist and support organisations with this process, guidance has been

issued by the Health and Social Care Information Centre (HSCIC). 1.4 The content of this Practice Guidance Note reflects the Guidance issued by the

Health and Social Care Information Centre and the purpose of this Practice Guidance Note is to inform Trust staff on how all Information Governance Incidents should be reported and handled within the new framework.

2 Identifying Information Governance Incidents 2.1 There is no simple definition of an Information Governance Incident.

Information Governance Incidents will involve service user / carer / staff or third party information held on various media such as paper, computers, digital recordings and images. Serious Information Governance Incidents may clearly be identifiable from the outset because of the type of breach, but the severity of some incidents may not be fully established until further investigation work has been carried out.

2.2 As a guide, an Information Governance Incident can be:

Any incident which involves actual or potential failure to meet the requirements of the Data Protection Act 1998 and / or the Common Law of Confidentiality;

This includes an unlawful disclosure or misuse of confidential data, recording or sharing of inaccurate data, information security breaches and inappropriate invasion of people’s privacy;

Such personal data breaches which could lead to identity fraud or have other significant impact on individuals;

Applies irrespective of the media involved and includes both electronic media and paper records.

2.3 A full list of breach types and examples can be found as Appendix 2 in this

Practice Guidance Note. If staff need any assistance in identifying an

Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – How to Report and Manage an Information Governance Incident – V04 – Issue 2 – Sep 2017 NTW(O)05 – Incident Policy – V04 – April 2016

2

Information Governance breach they should contact the Information Governance and Medico Legal Team for advice.

3 The following Flowchart shows the Reporting and Review Process for

Information Governance Incidents during Normal Working Hours

Key: IG Information Governance IGCL Information Governance & Compliance Lead CDT Corporate Decisions Team SI Serious Incident STEIS Strategic Executive Information System HSCIC Health & Social Care Information Centre AAR After action review

Reporting of Information Governance Incidents. 4 Reporting of Information Governance Incidents

Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – How to Report and Manage an Information Governance Incident – V04 – Issue 2 – Sep 2017 NTW(O)05 – Incident Policy – V04 – April 2016

3

4.1 Once an incident has occurred and the situation stabilised, the incident should be reported in line with the IP-PGN-01 - Incident Reporting and Management by the Service where it occurred. The Associate Director should contact the Information Governance and Medico Legal Team for advice and support.

4.2 The Information Governance Incident should be reported via the web based

Incident Reporting System. Guidance for this can be found on the intranet by clicking on the link below:

http://nww1.ntw.nhs.uk/services/?id=5247&p=2780&sp=2824

4.3 It is of vital importance that the correct information is completed via the web based incident reporting form as it is the basis of the investigation work carried out by the Information Governance and Medico Legal Team and may impact on the rating of the incident under the Health and Social Care Information Centre Guidance.

4.4 If the breach has resulted in person identifiable information being sent to the

wrong individual, then all efforts must be taken by the Locality care group to ensure that the information is retrieved.

4.5 In all incidents where personal information has been breached then the

individual affected, should be contacted by the Locality care group, informing them of the breach, an apology given and provided with details of how to make a complaint through the Trust’s complaints process.

4.6 If, however, the disclosure of the breach would have an adverse effect on the

individual concerned is a patient within Trust services, then a clinical decision to withhold this information may be taken. However, the decision and the justification of why the individual is not to be informed should be documented clearly in the individual’s health record.

4.7 Once the incident has been reported it is assigned an incident number from the

Safeguard Risk Management System and any further information collected should be entered onto that system. The incident will then appear on the ‘Information Governance Weekly Report Open Cases’ and the’ Information Governance Detailed Daily Report.’

4.8 The Information Governance and Compliance Lead (IGCL) will go into the

Safeguard Risk Management System and add in any additional information about the incident they have collected. Based on the information provided, the IGCL will then provide an initial grading of the impact of the incident following the rating process identified in the Health and Social Care Information Centre Guidance to the Information Governance Incident Management Group. (Under Section 7).

Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – How to Report and Manage an Information Governance Incident – V04 – Issue 2 – Sep 2017 NTW(O)05 – Incident Policy – V04 – April 2016

4

5 Information Governance Incidents where further Investigation is required 5.1 All Information Governance Incidents will be categorised depending on their

severity on what level of investigation is required. 5.2 The categories of investigation are as follows:

Full Serious Incident Investigation;

Formal After Action Review;

Team After Action Review. 5.3 All Information Governance Incidents should have either an informal (Team /

Department) or formal review of the circumstances around the issue and what steps should be taken to reduce the risk of reoccurrence.

5.4 Some reviews will take the format of an After Action Review and others will

have the corrective actions recorded on the web based Incident Reporting System. This depends on the severity of the Information Governance Incident. The process entails discussing an Information Governance Incident and recording what actions should be taken by looking at the following:

What happened?

Why did it happen?

What went well?

What needs improvement?

What lessons can be learned from the experience. 5.5 Full Serious Incident Investigation. (Information Governance Incidents) 5.5.1 Where a Serious Information Governance Incident has occurred then the

process for serious incidents should be followed. There are differences to the documents completed due to the nature of Information Governance Incidents but overall the process is the same.

5.5.2 The Medical Director (Caldicott) and the Executive Director of Performance and

Assurance (SIRO) will assign an Investigating Officer to look into the circumstances around the IG Incident. The Investigating Officer should ensure that the investigation is completed within 30 working days.

5.5.3 The Investigating Officer will also be responsible for collecting witness

statements, facilitating the After Action Review (within 10 days) and summarising all the information received into the final Report. The template for the Report is attached as Appendix 3.

5.5.4 The completed Serious Incident Review Report should be forwarded to the Associate Director and Safety Team for quality checking and signature prior to

Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – How to Report and Manage an Information Governance Incident – V04 – Issue 2 – Sep 2017 NTW(O)05 – Incident Policy – V04 – April 2016

5

submission to Incident and Claims Department for the Incident Review Panel. An electronic copy of all the information gathered should be forwarded to the Incident and Claims Department to be attached to the Electronic Incident Record. If this is not possible, Incident and Claims will scan the documents, when they receive them from the Investigating Officer.

5.5.5 The Incident and Claims Department will construct a Serious Incident Investigation Electronic File for the office and send an electronic pack to the appointed Investigating Officer and relevant people involved in the investigation. The Investigating Officer will be notified of the date of the Serious Incident Review Panel and when papers are due with Incident and Claims.

5.5.6 The Incident and Claims Department will report the incident on the Strategic

Executive Information System (StEIS) to inform the Commissioners / Clinical Commissioning Groups.

5.6 Serious Incident Review Panel 5.6.1 In the case of Serious Incidents Review Panel for an Information Governance

Incident, the Panel should include members with an Information Governance background as well as clinical and operational representation.

5.6.2 Therefore the Panel should contain at least three members of the Information

Governance Incident Management Group. 5.6.3 The Panel will consider the Investigating Officers Report and ask questions

where issues need clarification. The Panel will also agree the actions recommended by the Investigating Officer on their Report and if necessary add additional actions.

5.6.4 The Action Plan should be finalised at the Serious Incident Review Meeting

and timescales set against the actions for completion. The template for the Action Plan is attached as Appendix 4.

6 Information Governance Incident Management Group 6.1 The Information Governance Incident Management Group Members include

but are not limited to the following:

Executive Director of Performance and Assurance (Chair);

Director of Informatics;

Head of Safety and Security;

Head of Information Governance and Medico Legal ;

Information Governance and Compliance Lead;

Representative from Workforce and Operational Development.

Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – How to Report and Manage an Information Governance Incident – V04 – Issue 2 – Sep 2017 NTW(O)05 – Incident Policy – V04 – April 2016

6

6.2 The Information Governance Incident Management Group meets on a fortnightly basis to look at all Information Governance Incidents and update on what actions have been taken to resolve those incidents.

6.3 The Group will also discuss Action Plans from Serious Incident Reviews and

map progress of open actions. Clinical Group Information Governance Incident Action Plans will be signed off by the relevant Clinical Assurance Group. Information Governance Incidents which do not report to an assurance Group will be signed off by the appropriate Associate Directors. (For example: Medical, Finance, Performance, Workforce).

6.4 Once an action has been completed the Incidents and Claims Department will

update the Action Plan. Once all actions have been completed it will be signed off by the appropriate Assurance Group / Associate Directors and the Information Governance Incident will be closed by the Information Governance Incident Management Group.

6.5 The Group receive a weekly report which shows the Information Governance

Incidents which have occurred and are still open. Each Incident is discussed and where necessary a Case Manager is assigned from the Group to investigate further the circumstances surrounding the Information Governance Incident.

6.6 The Case Manager will feedback any further information in relation to the

Information Governance Incident to the Group. The Group will then decide if any further action needs to be taken or to close the incident.

6.7 The Incident Group will also use the above information provided by the Case

Manager to re-evaluate the rating of each Information Governance Incident initially scored by the Information Governance Team. (Under 4.8).

6.8 Once the final ratings of the Information Governance Incidents has been

agreed by the Incident Management Group, it will be then sent to the next Corporate Decisions Team Meeting for approval.

6.9 Further information in relation to Information Governance Incidents rated Level

2 and above will be provided to Corporate Decisions Team for approval prior to submission on the Information Governance Toolkit by the Information Governance Team.

6.10 Once the final ratings have been ratified by the Corporate Decisions Team, the

Level 2 and above Incidents will be uploaded onto the Information Governance Toolkit under the Incident Reporting Tool by the IGCL.

6.11 All Information Governance Incidents rated Level 1 will be reported in the

Trust’s Annual Report.

Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – How to Report and Manage an Information Governance Incident – V04 – Issue 2 – Sep 2017 NTW(O)05 – Incident Policy – V04 – April 2016

7

7 Rating of Information Governance Serious Incidents Requiring Investigation

7.1 The Information Governance Serious Incidents Requiring Investigation

category is determined by the context, scale and sensitivity of the Incident. Every Incident can be categorised as:

Level 1 Confirmed Information Governance Serious Incidents Requiring Investigation but no need to report to ICO, DH and other central bodies;

Level 2 Confirmed Information Governance Serious Incidents Requiring Investigation that must be reported to ICO, DH and other central bodies.

7.2 A further category of Information Governance Serious Incidents Requiring

Investigation is also possible and should be used in Incident Closure where it is determined that it was a near miss or the Incident is found to have been mistakenly reported:

Level 0 Near miss / non-event.

7.3 Where an Information Governance Serious Incidents Requiring Investigation has found not to have occurred or severity is reduced due to fortunate events which were not part of pre-planned controls this should be recorded as a “near miss” to enable lessons learned activities to take place and appropriate recording of the event.

7.4 The initial grading of the incident may change once all the facts of the incident

have been established. 7.5 The Checklist Template to produce the appropriate rating for each incident is

attached to this document as Appendix 3. 7.6 Guidance on how complete the grading can be found by clicking on the

following link:

https://www.igt.hscic.gov.uk/KnowledgeBaseNew/IG%20SIRI%20Reporting%20Tool%20Publication%20Statement_Final_V2%200.pdf

8 Information Governance Incidents (IG SIRI) rated Level 2 and above 8.1 Once an Information Governance Serious Incidents Requiring Investigation

rating has been assessed and approved as Level 2 or above by the Corporate Decisions Team, the Information Governance Team will then upload the information on to the Information Governance Incident Reporting Tool through the Information Governance Toolkit.

Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – How to Report and Manage an Information Governance Incident – V04 – Issue 2 – Sep 2017 NTW(O)05 – Incident Policy – V04 – April 2016

8

8.2 Guidance on how to upload the information on to the Information Governance Incident Reporting Tool can be found by clicking on the following link:

https://nww.igt.hscic.gov.uk/resources/IG%20Incident%20Reporting%20Tool

%20User%20Guide.pdf 8.3 Detailed definitions and examples of breach types are attached as Appendix 2. 8.4 The Health and Social Care Information Centre Guidance also states that

Incidents classified at an Information Governance Serious Incidents Requiring Investigation severity Level 2 need to be detailed individually in the Annual Report in the format provided as Table 1 attached as Appendix 5.

8.5 All reported incidents relating to the period in question should be reported,

whether they are open or closed incidents. 9 Information Governance Incidents (IG SIRI) rated Level 1 and below 9.1 If an Information Governance Serious Incidents Requiring Investigation rating

has been assessed and approved as Level 1 or below, this does not have to be reported through the Information Governance Toolkit.

9.2 Information Governance Serious Incidents Requiring Investigation rated Level

1 and below would be reported using Table 2 in Appendix 5 within the Trust’s Annual Report.

Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – Information Governance Incidents Reporting – Appendix 1 – Monitoring Tool - V04 – Issue 2 Sep 2017 NTW(O)05 – Incident Policy – V04 – April 2016

9

Appendix 1 Statement The Trust is working towards effective clinical governance and governance systems. To demonstrate effective care delivery and compliance, Policy Authors are required to include how monitoring of this Policy is linked to Auditable Standards / Key Performance Indicators will be undertaken using this framework.

NTW(O)05 – Incident Policy - Monitoring Framework

Auditable Standard / Key Performance Indicators

Frequency / Method / Person Responsible

Where Results and Any Associate Action Plan Will Be Reported To, Implemented and Monitored; (this will usually be via the relevant Governance Group).

1 All incidents or breaches of policy are clearly and accurately recorded through the reporting of incidents.

Incidents discussed at IG Incident Management Group Bi-monthly Incident Report through CHIG by Information Governance and Compliance Lead.

Caldicott and Health Informatics Group

1 All IG incidents will be discussed with services to ensure remedial actions are put in place to minimise reoccurence.

Weekly basis following receipt of weekly IG Incident report generated via Safeguard by the Information Governance and Compliance Lead.

Reported bi-weekly into the IG IMG group.

2 All Level 2 IG Incidents are reported through the HSCIC IG Incident Reporting Tool.

Reported through the IG IMG group on a bi-weekly basis and through the CHIG on a bi-monthly basis by the Information Governance and Compliance Lead.

IG IMG Group. Caldicott and Health Informatics Group

The Author(s) of each Policy is required to complete this monitoring template and ensure that these results are taken to the appropriate Quality and Performance Governance Group in line with the frequency set out.

10 Northumberland Tyne & Wear NHS Foundation Trust IP-PGN-11- How to Report and Manage an Information Governance Incident – Appendix 2 – Serious Incidents Requiring Investigation – Breach Types Defined - V04 – Issue 2 Sep 2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Appendix 2

Serious Incidents Requiring Investigation – Breach Types Defined These more detailed definitions and examples should help the Information Governance Team select the most appropriate ‘Breach Type’ category when completing the Information Governance Serious Incidents Requiring Investigation Record on the online tool. However, it is recognised that many data incidents will involve elements of one or more of the following categories. For the purpose of reporting, the description which best fits the key characteristic of the incident should be selected.

Breach Type Examples / incidents covered within this definition

Lost in Transit

The loss of data (usually in paper format, but may also include CD’s, tapes, DVD’s or portable media) whilst in transit from one business area to another location. May include data that is:

Lost by a courier;

Lost in the ‘general’ post (i.e. does not arrive at its intended destination);

Lost whilst on site but in situ between two separate premises / buildings or departments;

Lost whilst being hand delivered, whether that be by a member of the data controller’s staff or a third party acting on their behalf.

Generally speaking, ‘lost in transit’ would not include data taken home by a member of staff for the purpose of home working or similar (please see ‘lost or stolen hardware’ and ‘lost or stolen paperwork’ for more information).

Lost or stolen hardware

The loss of data contained on fixed or portable hardware. May include:

Lost or stolen laptops;

Hard-drives;

Pen-drives;

Servers;

Cameras;

Mobile phones containing personal data;

Desk-tops / other fixed electronic equipment;

Imaging equipment containing personal data;

Tablets;

Any other portable or fixed devices containing personal data. The loss or theft could take place on or off a data controller’s premises. For example, the theft of a laptop from an employee’s home or car, or a loss of a portable device whilst travelling on public transport. Unencrypted devices are at particular risk.

11 Northumberland Tyne & Wear NHS Foundation Trust IP-PGN-11- How to Report and Manage an Information Governance Incident – Appendix 2 – Serious Incidents Requiring Investigation – Breach Types Defined - V04 – Issue 2 Sep 2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

NB- The’ Data controller’ is the organisation that is holding and processing the personal data.

Lost or stolen paperwork

The loss of data held in paper format. Would include any paper work lost or stolen which could be classified as personal data (i.e. is part of a relevant filing system / accessible record). Examples would include:

Medical Files;

Letters;

Rotas;

Ward Handover Sheets;

Employee Records The loss or theft could take place on or off a data controller’s premises, so for example the theft of paperwork from an employee’s home or car or a loss whilst they were travelling on public transport would be included in this category. Work diaries may also be included (where the information is arranged in such a way that it could be considered to be an accessible record / relevant filing system).

Disclosed in Error

This category covers information which has been disclosed to the incorrect party or where it has been sent or otherwise provided to an individual or organisation in error. This would include situations where the information itself hasn’t actually been accessed. Examples include:

Letters / correspondence / files sent to the incorrect individual;

Verbal disclosures made in error (however wilful inappropriate disclosures / disclosures made for personal or financial gain will fall within the s55 aspect of reporting);

Failure to redact personal data from documentation supplied to third parties;

Inclusion of information relating to other data subjects in error;

Emails or faxes sent to the incorrect individual or with the incorrect information attached;

Failure to blind carbon copy (‘bcc’) emails;

Mail merge / batching errors on mass mailing campaigns leading to the incorrect individuals receiving personal data;

Disclosure of data to a third party contractor / data processor (individual or organisation processing data on behalf of the data controller) who are not entitled to receive it.

12 Northumberland Tyne & Wear NHS Foundation Trust IP-PGN-11- How to Report and Manage an Information Governance Incident – Appendix 2 – Serious Incidents Requiring Investigation – Breach Types Defined - V04 – Issue 2 Sep 2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Uploaded to website in error

This category is distinct from ‘disclosure in error’ as it relates to information added to a website containing personal data which is not suitable for disclosure. It may include:

Failures to carry out appropriate redactions;

Uploading the incorrect documentation;

The failure to remove hidden cells or pivot tables when uploading a spread-sheet;

Failure to consider / apply FOIA exemptions to personal data.

13 Northumberland Tyne & Wear NHS Foundation Trust IP-PGN-11- How to Report and Manage an Information Governance Incident – Appendix 2 – Serious Incidents Requiring Investigation – Breach Types Defined - V04 – Issue 2 Sep 2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Secure Disposal – hardware

The failure to dispose of hardware containing personal data using appropriate technical and organisational means. It may include:

Failure to meet the contracting requirements of principle seven when employing a third party processor to carry out the removal / destruction of data;

Failure to securely wipe data ahead of destruction;

Failure to securely destroy hardware to appropriate industry standards;

Re-sale of equipment with personal data still intact / retrievable;

The provision of hardware for recycling with the data still intact.

Non-secure Disposal – paperwork

The failure to dispose of paperwork containing personal data to an appropriate technical and organisational standard. It may include:

Failure to meet the contracting requirements of principle seven when employing a third party processor to remove / destroy / recycle paper;

Failure to use confidential waste destruction facilities (including on site shredding);

Data sent to landfill / recycling intact – (this would include refuse mix up’s in which personal data is placed in the general waste).

Technical security failing (including hacking)

This category concentrates on the technical measures a data controller should take to prevent unauthorised processing and loss of data and would include:

Failure to appropriately secure systems from inappropriate / malicious access;

Failure to build website / access portals to appropriate technical standards;

The storage of data (such as CV3 numbers) alongside other personal identifiers in defiance of industry best practice;

Failure to protect internal file sources from accidental / unwarranted access (for example failure to secure shared file spaces);

Failure to implement appropriate controls for remote system access for employees (for example, when working from home).

In respect of successful hacking attempts, the ICO’s interest is in whether there were adequate technical security controls in place to mitigate this risk.

14 Northumberland Tyne & Wear NHS Foundation Trust IP-PGN-11- How to Report and Manage an Information Governance Incident – Appendix 2 – Serious Incidents Requiring Investigation – Breach Types Defined - V04 – Issue 2 Sep 2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Corruption or inability to recover electronic data

Avoidable or foreseeable corruption of data or an issue which otherwise prevents access which has quantifiable consequences for the affected data subjects e.g. disruption of care / adverse clinical outcomes. For example:

The corruption of a file which renders the data inaccessible;

The inability to recover a file as its method / format of storage is obsolete;

The loss of a password, encryption key or the poor management of access controls leading to the data becoming inaccessible.

Unauthorised access / disclosure

The offence under section 55 of the DPA - wilful unauthorised access to, or disclosure of, personal data without the consent of the data controller. Example (1) An employee with admin access to a centralised database of patient details, accesses the records of her daughter’s new boyfriend to ascertain whether he suffers from any serious medical conditions. The employee has no legitimate business need to view the documentation and is not authorised to do so. On learning that the data subject suffers from a GUM related medical condition, the employee than challenges him about his sexual history. Example (2) An employee with access to details of patients, who have sought treatment following an accident, sells the details to a claims company who then use this information to facilitate lead generation within the personal injury claims market. The employee has no legitimate business need to view the documentation and has committed an offence in both accessing the information and in selling it on.

Other This category is designed to capture the small number of occasions on which a principle seven breach occurs which does not fall into the aforementioned categories. These may include:

Failure to decommission a former premises of the data controller by removing the personal data present;

The sale or recycling of office equipment (such as filing cabinets) later found to contain personal data;

Inadequate controls around physical employee access to data leading to the insecure storage of files (for example, a failure to implement a clear desk policy or a lack of secure cabinets).

This category also covers all aspects of the remaining data protection principles as follows:

Fair processing;

Adequacy, relevance and necessity;

Accuracy;

Retaining of records;

Overseas transfers.

15 Northumberland Tyne & Wear NHS Foundation Tr IP-PGN-11 – How to Report and Manage an Information Governance Incident – Appendix 3 – Template for Non-clinical Incidents Serious Incidents Review Report V04 – Issue 2 – Sep-2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Confidential Serious Incident Investigation Incident Number: STEIS Reference:

Appendix 3

16 Northumberland Tyne & Wear NHS Foundation Tr IP-PGN-11 – How to Report and Manage an Information Governance Incident – Appendix 3 – Template for Non-clinical Incidents Serious Incidents Review Report V04 – Issue 2 – Sep-2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Identification of Individuals Named in the Report (staff involved in care package and other agencies involved)

(keep on a separate page which can be detached for anonymity)

Could you please ensure all patient / staff identifiable information is limited to this page only and none are included in the body of the report where initials only should be used. RIO NUMBER SERVICE USER (WHERE APPLICABLE)

Title Initials Name Service User

FAMILY MEMBERS Relationship to patient Initials Name i.e. Mother JB Jane Brown

PRIMARY CARE MEDICAL

Job Title/Team Initials Name i.e. Consultant Psychiatrist Dr S Dr John Smith

MEDICAL - NTW FOUNDATION TRUST

Job Title/Team Initials Name

NON-MEDICAL - NTW FOUNDATION TRUST

Job Title/Team Initials Name

OTHER Job Title/Team Initials Name

17 Northumberland Tyne & Wear NHS Foundation Tr IP-PGN-11 – How to Report and Manage an Information Governance Incident – Appendix 3 – Template for Non-clinical Incidents Serious Incidents Review Report V04 – Issue 2 – Sep-2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Contents

Introduction Summary of incident Chronology of events leading up to the incident Safeguarding Findings of the investigation Conclusions Recommendations to be taken forward in Action Plan

18 Northumberland Tyne & Wear NHS Foundation Tr IP-PGN-11 – How to Report and Manage an Information Governance Incident – Appendix 3 – Template for Non-clinical Incidents Serious Incidents Review Report V04 – Issue 2 – Sep-2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Introduction My name is NAME, I am a Serious Incident Investigator/ JOB TITLE and I am employed by Northumberland, Tyne and Wear NHS Foundation Trust. The investigation and report was undertaken to enable the Northumberland Tyne and Wear NHS Foundation Trust to examine the circumstances leading up to the incident which was reported to the Trust on the< insert date>. The investigation also reviews the standard of compliance in relation to Trust policy. I was assisted by NAME Lead Clinician and the report incorporates the findings of the After Action Review we held with the team on the < insert date>. Summary of Incident Chronology of events leading up to incident

DATE EVENT NOTABLE PRACTICE / CONCERN

Safeguarding Findings of Investigation What went well? What could have gone better? Lessons learnt

19 Northumberland Tyne & Wear NHS Foundation Tr IP-PGN-11 – How to Report and Manage an Information Governance Incident – Appendix 3 – Template for Non-clinical Incidents Serious Incidents Review Report V04 – Issue 2 – Sep-2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Conclusions Recommendations to be taken forward in Action Plan Rationale Action Progress Signed: Date: Investigating Officer I have checked the above report and am happy with the content, quality and action plan. Signed: Date: Associate Director

20 Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – How to Report and Manage an Information Governance Incident – Appendix 5 – Serious Incident Review Action Plan Template - V04 – Issue 2- Sep 2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Appendix 4

IG Incidents – Proforma to Categorise Information Governance Incidents Incident No:

Date of Incident

Description of incident

Step 2: Identify which sensitivity characteristics may apply and the baseline scale point will adjust accordingly.

Low: For each of the following factors reduce the baseline score by 1

No clinical data at risk -1

Limited demographic data at risk e.g. address not included, name not included -1

Security controls/difficulty to access data partially mitigates risk -1

Medium: The following factors have no effect on baseline score

Basic demographic data at risk e.g. equivalent to telephone directory 0

Limited clinical information at risk e.g. clinic attendance, ward handover sheet 0

High: For each of the following factors increase the baseline score by 1

Detailed clinical information at risk e.g. case notes +1

Particularly sensitive information at risk e.g. HIV, STD, Mental Health Children +1

One or more previous incidents of a similar type in past 12 months +1

Failure to securely encrypt mobile technology or other obvious security failing. +1

Celebrity involved or other newsworthy aspects or media interest. +1

A complaint has been made to the Information Commissioner +1

Individuals affected are likely to suffer significant distress or embarrassment. +1

Individuals affected have been placed at risk of physical harm. +1

Individuals affected may suffer significant detriment e.g. financial loss. +1

Incident has incurred or risked incurring a clinical untoward incident. +1

Final Score of IG Incident

Level of IG SIRI

Step 1: Establish the scale of the incident.

The number of individuals that are potentially impacted by the incident. Baseline scale Actual Scale

Information about less than 10 individuals 0

Information about 11-100 individuals 1

Information about 101-1,000 individuals 2

Information about 1,001 – 100,001 + individuals 3

Actual scale of incident carried forward

21 Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11- How to Report and Manage an Information Governance Incident – Appendix 5 – Serious Incident Review Action Plan Template - V04 – Issue 2 Sep 2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Appendix 5 THE COMPLETION OF THIS ACTION PLAN IS THE RESPONSIBILITY OF THE ASSOCIATE DIRECTOR

Serious Untoward Incident Review Proforma

Patient ID/Other

Date of Incident

Service Area Trust

Incident Number

STEIS No (if applicable)

Presenting Officer Date reviewed by SUI Group

Summary of Incident CQUINN Standard () Yes No Partial

Is there a risk assessment in place (formal or narrative)

If yes, is there evidence of the risk assessment transferring through the care planning process

Is there evidence of a care plan, a contingency plan and discharge planning (if appropriate)

Recommendations & Actions Following SUI Review Lead Timescale

Outcome / Evidence of Completion and forward to Incident and Claims

Department

Date Completed

22 Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11- How to Report and Manage an Information Governance Incident – Appendix 5 – Serious Incident Review Action Plan Template - V04 – Issue 2 Sep 2017 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Date

Date agreed at Directorate Q&P

Date agreed at Patient Safety

23 Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – How to Report and Manage an Information Governance Incident - Appendix 6 – Level 2 / Level 1 Information Governance Serious Incidents Requiring Investigation Annual Reporting Template - V04 – Issue 2 Sep 17 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Appendix 6

Table 1 Template – Level 2 IG SIRI’s Annual Report

SUMMARY OF SERIOUS INCIDENT REQUIRING INVESTIGATIONS INVOLVING PERSONAL DATA AS REPORTED TO THE INFORMATION COMMISSIONER’S OFFICE IN 201X-201X

Date of incident (Month)

Nature of incident Nature of data involved Number of data subjects potentially affected

Notification steps

Further action on information risk

Notes to producing Table 1

Nature of the incident Select one of the breach types A Corruption or inability to recover electronic data B Disclosed in Error C Lost In Transit D Lost or stolen hardware E Lost or stolen paperwork F Non-secure Disposal – hardware G Non-secure Disposal – paperwork H Uploaded to website in error I Technical security failing (including hacking) J Unauthorised Access/Disclosure K Other

Category List i) inadequately protected PC(s), laptop(s) and remote device(s) (including, for example,

PDAs, mobile telephones, Blackberry’s) ii) inadequately protected electronic storage device(s) (including, for example, USB devices,

discs, CD ROM, microfilm) iii) inadequately protected electronic back-up device(s) (including, for example, tapes) iv) paper document(s)

Nature of data involved A list of data elements (e.g. name, address, NHS number).

Number of data subjects potentially affected An estimate should be provided if no precise figure can be given.

Notification steps Individuals notified by post* / email* / telephone* (*delete as appropriate) Police* / law enforcement agencies* notified (*delete as appropriate) Media release

Further action on information risk A summary of any disciplinary action taken as a result of the incidents should also be included.

24 Northumberland, Tyne and Wear NHS Foundation Trust IP-PGN-11 – How to Report and Manage an Information Governance Incident - Appendix 6 – Level 2 / Level 1 Information Governance Serious Incidents Requiring Investigation Annual Reporting Template - V04 – Issue 2 Sep 17 Part of NTW(O)05 – Incident Policy – V04 – April 2016

Appendix 6

Table 2 Template - Level 1 IG SIRI’s Annual Report

Incidents classified at severity Level 1 should be aggregated and reported in the annual report in the format provided shown in the table below. Incidents rated at severity Level 0 need not be reflected in Annual Reports. Table 2 SUMMARY OF OTHER PERSONAL DATA RELATED INCIDENTS IN

201X-1X

Category Breach Type

Total

A Corruption or inability to recover electronic data

B Disclosed in error

C Lost in Transit

D Lost or stolen Hardware

E Lost or stolen paperwork

F Non-secure Disposal – Hardware

G Non-secure Disposal – paperwork

H Uploaded to website in error

I Technical security failing (including hacking)

J Unauthorised access/disclosure

K Other