ScHARR Information Governance


Policy Section 6: Incident Management

Version 17/03/31

Background

In order to protect sensitive information and to comply with both the data protection legislation (Data Protection Act 1998) and the incident management guidance made available by the NHS Digital, it is vital that procedures are in place to report any potential breaches of data confidentiality and security, i.e. information incidents.

Information incidents include cases where there is potential, as well as actual, loss of or damage to data.

Examples of information incidents include:

  • Shared usernames and passwords
  • Computers that are not protected; i.e. left unlocked or risk-bearing data unencrypted on the hard drive.
  • Offices left unlocked, doors held open
  • Lost/stolen equipment containing risk-bearing data that are not appropriately protected
  • Information stored on external services without the proper checks
  • Information shared incorrectly; i.e. transmission of risk-bearing data by unencrypted e-mail
  • Saving of usernames and passwords within the browsers of computers that are not protected

Potential information incidents will be assessed by the IG Committee, and, in cases where this initial assessment indicates it may be serious, the NHS Digital’s guide to the assessment and management of information incidents will be consulted and its recommended actions followed (see the NHS Digital Knowledge Base web page for a link to the latest version “HSCIC: Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation”.)

Policy

The IG Committee will formally assess and document risks to information and the controls put in place to manage risk.

The IG Committee will work with ScHARR Research Ethics Committee (REC) to assess IG risk on projects considered by ScHARR REC.

  • Any suspected information incident must be reported to a Section IG Lead, the IG Manager or the School IG Lead as soon as possible.
  • Once the IG Committee are aware of a possible information incident they will:
  1. record the incident in an Incident Investigation Log
  2. carry out an investigation to establish the details and assess the impact, including the nature of the incident, the type of data involved, the perceived sensitivity of the data and the number of people affected and record the details in the incident log
  3. where the incident involves a serious loss of risk-bearing data and/or damage to computer systems, immediately inform Corporate Information and Computing Services (CiCS) according to their standard Security Incident Policy and Procedure. www.shef.ac.uk/cics/policies/securityincident.
  4. if illegal activity (for example, theft) is suspected, ensure University Security Services have been informed.
  5. document any corrective actions taken and preventative actions to be taken in order to attempt to prevent any recurrence of this type of incident
  • The Incident Investigation Log should only be shared outside of the Information Governance Committee where necessary and at the discretion of the IG Lead, unless there is a legal requirement to do so.

The IG Lead should report a suspected breach to CiCS; the named liaison with the ICO within CiCS will decide whether a breach needs to be reported to the Information Commissioner and raise the report as necessary. Where an incident is classified as a reportable SIRI by NHS Digital it should be recorded and communicated via the NHS Digital IG Toolkit Incident Reporting Tool.

Section 7: International data transfers