4 Personal data breaches
The Review Panel concludes that there should be a single deﬁnition of a ‘personal data
breach’ used by the whole health and social care system, and endorses the adoption of
the deﬁnition below. This goes beyond the deﬁnition used by the ICO
to include paper
breaches such as letters to the wrong address, as well as electronic records. The
amended deﬁnition would read:
Deﬁnition of a data breach
A data breach is any failure to meet the requirements of the Data Protection Act.
This includes unlawful disclosure or misuse of conﬁdential data, recording or sharing
of inaccurate data and inappropriate invasion of people’s privacy
4.6 Reporting arrangements
Reporting and management of information governance issues and related serious incidents
in the NHS was included within the ‘National Framework for Reporting and Learning from
Serious Incidents Requiring Investigation’
issued by the National Patient Safety Agency in
2010. Under the guidance, primary care trusts and SHAs were responsible for monitoring
and reviewing the case with their providers.
The Review Panel concludes that these reporting arrangements must be clariﬁed,
following the implementation of the Health and Social Care Act 2012, particularly for
the major processors of data such as clinical commissioning groups, the Health and
Social Care Information Centre, the Data Management Integration Centres, providers
and local authorities.
It should be noted, however, that discussion of serious incidents has hitherto focused
exclusively on things that should not happen, and does not encompass those that should,
for example the appropriate sharing for patient care.
Under current arrangements, the focus of reporting has been on the scale of data losses,
determined by the number of people affected and the potential for reputational damage
and media attention. During the course of this review, the Department of Health was
investigating more sophisticated methods of categorisation that take account of the
potential for clinical harm, damage or distress to patients. This will be introduced as an
on-line reporting tool associated with the Information Governance Toolkit in May 2013 and
will be further reﬁned during a review of toolkit content later in the year.
Hitherto, there has been no requirement on local authorities to provide similar reports on
data breaches in relation to their social care activity, as per NHS organisations, other than
reporting to the ICO. From April 2013, when local authorities take on the responsibility for
public health, local authorities will be responsible for the data management previously
carried out by the NHS. This opportunity should be used to enhance and strengthen the
43 Privacy applies to public bodies, but would also apply to private sector through contract or court decision.