A data breach is any failure to meet the requirements of the Data Protection legislation. All staff are responsible for reporting data breaches in a timely manner. There are three types of data breaches, namely:

  • Confidentiality breach - unauthorised or accidental disclosure of, or access to, personal data,
  • Availability breach - unauthorised or accidental loss of access to, or destruction of, personal data, and;
  • Integrity breach - unauthorised or accidental alteration of personal data.

Where loss, alteration or unauthorised disclosure of person confidential information occurs, this constitutes an Information Governance incident that must be reported and investigated. 

Under current Data Protection legislation, it is a legal requirement that an organisation must report a breach of personal data within 72 hours of the breach being discovered. If the breach is likely to result in a high risk to the rights and freedoms of individuals, organisations must also inform those individuals without undue delay.

Actual breaches of information security and/or confidentiality (e.g. loss or theft of a care record, laptop or mobile device; or patient information sent to the wrong address) must be reported following the Trust's incident reporting procedure, using the Datix incident form and the fast-track form where appropriate.

If person confidential information is involved, the impact of the loss will be assessed by the Information Governance Team and reported to the SIRO and Caldicott Guardian if appropriate. Where necessary, when certain criteria are met, based on its relevance and severity the incident will be reported in line with national guidance as a serious incident to the Information Commissioner's Office (ICO), the Department of Health and Social Care and NHS Digital.

Suspected breaches should be discussed with the Information Governance Team to see whether or not they need to be formally reported.

If you have any further questions or concerns about these issues, please contact the IG Team.