ScHARR Information Governance

Policy Section 6: Incident Management

Version 18/03/31


In order to protect sensitive information and to comply with both the data protection legislation (General Data Protection Regulations (GDPR)) and the incident management guidance made available by the NHS Digital, it is vital that procedures are in place to report any potential breaches of data confidentiality and security, i.e. information incidents.

Information incidents include cases where there is potential, as well as actual, loss of or damage to data.

Examples of information incidents include:

  • Shared usernames and passwords. This is a breach of Information Security and bad practice. People may access more information than they are permitted to see which is a breach of the General Data Protection Regulations (GDPR).
  • Computers that are not protected; i.e. left unlocked or risk-bearing data unencrypted on the hard drive.
  • Offices left unlocked, doors held open
  • Lost/stolen equipment containing risk-bearing data that are not appropriately protected
  • Information stored on external services without the proper checks
  • Information shared incorrectly; i.e. transmission of risk-bearing data by unencrypted e-mail
  • Saving of usernames and passwords within the browsers of computers that are not protected

Potential information incidents will be assessed by the IG Committee, and, in cases where this initial assessment indicates it may be serious, the NHS Digital’s guide to the assessment and management of information incidents will be consulted and its recommended actions followed.

A more detailed guide to the reporting procedure to be followed in case of a personal data security breach can be downloaded from the ICO web pages.


The IG Committee will formally assess and document risks to information and the controls put in place to manage risk.

The IG Committee will work with ScHARR Research Ethics Committee (REC) to assess IG risk on projects considered by ScHARR REC.

Any suspected information incident must be reported to a Section IG Lead, the IG Manager or the School IG Lead as soon as possible.

Once the IG Committee are aware of a possible information incident they will:

  1. record the incident in an Incident Investigation Log
  2. carry out an investigation to establish the details and assess the impact, including the nature of the incident, the type of data involved, the perceived sensitivity of the data and the number of people affected and record the details in the incident log
  3. where the incident involves a serious loss of risk-bearing data and/or damage to computer systems, immediately inform Corporate Information and Computing Services (CiCS) according to their standard Security Incident Policy and Procedure.
  4. if illegal activity (for example, theft) is suspected, ensure University Security Services have been informed.
  5. document any corrective actions taken and preventative actions to be taken in order to attempt to prevent any recurrence of this type of incident

The Incident Investigation Log should only be shared outside of the Information Governance Committee where necessary and at the discretion of the IG Lead, unless there is a legal requirement to do so.

The IG Lead should report a suspected breach to CiCS; the named liaison with the ICO within CiCS will decide whether a breach needs to be reported to the Information Commissioner’s Office, or other authorities, and raise the report as necessary.

Section 7: International data transfers