A data breach is any failure to meet the requirements of the Data Protection legislation. All staff are responsible for reporting data breaches in a timely manner. There are three types of data breaches, namely:

  • Confidentiality breach - unauthorised or accidental disclosure of, or access to, person confidential data,
  • Availability breach - unauthorised or accidental loss of access to, or destruction of, personal confidential data, and;
  • Integrity breach - unauthorised or accidental alteration of personal confidential data.

Where loss, alteration or unauthorised disclosure of person confidential information occurs, this constitutes an Information Governance incident that must be reported and investigated. 

Under current Data Protection legislation, if there is a high risk to the rights and freedoms of the individuals involved, it is a legal requirement that an organisation must report a breach of personal data within 72 hours of the breach being discovered. If the breach is likely to result in a high risk to the rights and freedoms of individuals, organisations must also inform those individuals without undue delay.

Actual breaches of information security and/or confidentiality (e.g. loss or theft of a care record, laptop or mobile device; or patient information sent to the wrong address) must be reported on the Trust's incident reporting system in line with the current incident reporting procedure.

If person confidential information is involved, the impact of the loss will be assessed by the Information Governance Team and reported to the SIRO and Caldicott Guardian if necessary and where a high risk to the rights and freedoms of individuals is identified.

Where necessary, when certain criteria are met, based on its relevance and severity the incident will be reported in line with national guidance as a serious incident to the Information Commissioner's Office (ICO), the Department of Health and Social Care and NHS Digital.

Suspected breaches should be discussed with the Information Governance Team to see whether or not they need to be formally reported.

If you have any further questions or concerns about these issues, please contact the IG Team.