Data Breach Policy

Data Breach Policy– The Parks Medical Centre

Policy Objective
The aim of this policy is to ensure that in the event of a data breach, the appropriate measures are taken in compliance with GDPR.

Scope
This policy applies to medical data ie computer files, paper files. It applies to personnel data for all staff members from contracts to payroll.

Typical Data Breaches are:
1) Loss of theft of data or equipment on which data is stored
2) Loss of theft of documents/folders
3) Unforeseen circumstances such as a flood or fire which destroy information
4) Inappropriate access controls allowing unauthorised use
5) A hacking/cyber-attack (such as ransom wear)
6) Obtaining information from the practice by deception
7) Misaddressing of e-mails/post/scripts/certs
8) Sending a copy of a lab result or radiology result to a wrong patient
9) Being in the wrong patient’s file – ie patients with the same name
10) Discussing patient information without prior consent – ie parent/ guardian of child or spouse/ partner

Procedure

In the event of a suspected data breach,

1) The Practice Manager must be notified in writing straight away.
2) This should be done by internal message giving all details of the breach.
3) The Practice Manager will liase with the practice owner who will carry out a risk assessment to determine if this was an incident or a breach.
4) In the event of it being an incident, the data commissioner does not need to be informed however all events of the incident must be recorded.
5) In the event of it being a known breach, the practice owner/manager will follow protocol and notify the Data Protection Commissioner as below

Notification to The Data Protection Commission

Where feasible and without undue delay the practice owner will notify the personal data breach to the Data Protection Commissioner no later than 72 hours after being made of aware of it. If this notification is made more than 72 hours it will be accompanied by the reason for this delay. The only exception to this is if the breach is unlikely to result in a risk to the rights and freedoms of natural persons (ie the patient)

Notification to the Data Subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons (the patient) the practice owner will communicate this breach to the patient without delay. It will be explained in clear and plain language and will contain the following:
1) The name and contact details of the data protection officer or other point of contact where more information can be obtained
2) A description of the breach and it’s likely consequences
3) A description of the measures the practice took or intends to take to manage this breach and the steps to prevent a breach of this nature re-occurring.

The Article 29 Data Protection Working Group has produced “Guidelines on Personal Data breach notification under Regulation 2016/679. The full document is available at
https://iapp.org/media/pdf/resource_centre/WP29-Breach-notification02-2018.pdf