ScHARR Information Governance


Policy Section 6: Incident Management

Version 19/03/31

Background

In order to protect sensitive information and to comply with both the data protection legislation (GDPR) and the incident management guidance made available by NHS Digital, it is vital that procedures are in place to report any potential breaches of data confidentiality and security, i.e. information incidents. Information incidents include cases where there is potential, as well as actual, loss of or damage to data.

Examples of information incidents include:

  • Shared usernames and passwords. This is a breach of Information Security and expressly forbidden by CiCS. People may access more information than they are permitted to see, which is a breach of GDPR.
  • Computers that are not protected by a password or are left unlocked
  • Computers with risk-bearing data stored unencrypted on the hard drive
  • Offices left unlocked, or doors held open
  • Lost/stolen equipment containing risk-bearing data that are not appropriately protected
  • Information stored on external services without the proper checks
  • Information shared incorrectly, e.g. transmission of risk-bearing data unencrypted by e-mail
  • Saving of usernames and passwords within web browsers of computers that are not protected
  • Reuse of usernames and passwords.

Potential information incidents will be assessed by the IG Committee. In cases where this initial assessment indicates that risk-bearing data has potentially been shared outside of ‘trusted’ partners, as defined in the guidance on reporting an incident for the Data Protection Regulation (GDPR) and Networks and Information Systems (NIS) Directive, this guide will be used to direct subsequent actions. A more detailed guide to the reporting procedure is available from the ICO web pages.

Policy

The IG Committee will formally assess and document risks to information and the controls put in place to manage risk.

The IG Committee will work with ScHARR Research Ethics Committee (REC) to assess IG risk on projects considered by ScHARR REC.

Any suspected information incident must be reported to a Section IG Lead, the IG Manager or the School IG Lead as soon as possible.

If ScHARR staff become aware outside of normal working hours of an information security incident that involves a serious loss of risk-bearing data and/or damage to computer systems, they should report it to University Security on 0114 222 4085, as mandated in the CiCS Information Security Incident Policy and Procedure.

Once the IG Committee are aware of a possible information incident they will:

  1. record the incident in an Incident Investigation Log
  2. carry out an investigation to establish the details and assess the impact, including the nature of the incident, the type of data involved, the perceived sensitivity of the data and the number of people affected and record the details in the incident log [This assessment may involve other relevant staff, such as IT technicians if appropriate: it may be necessary to download, open, read, copy or move files in order to determine whether they contain risk-bearing data]
  3. where the incident involves a serious loss of risk-bearing data and/or damage to computer systems, immediately inform Corporate Information and Computing Services (CiCS) according to their standard Security Incident Policy and Procedure.
  4. if illegal activity (for example, theft) is suspected, ensure University Security Services have been informed.
  5. document any corrective actions taken and preventative actions to be taken in order to attempt to prevent any recurrence of this type of incident

The Incident Investigation Log should only be shared outside of the Information Governance Committee where necessary and at the discretion of the IG Lead, unless there is a legal requirement to do so.

Where the incident is assessed that it is (at least) likely that some harm has occurred and that the impact is (at least) minor the IG Lead should report this to CiCS; the named liaison with the ICO within CiCS will decide whether this needs to be reported to the Information Commissioner’s Office, or other authorities, and raise the report as necessary.

Section 7: International data transfers