Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

PURPOSE

An incident is defined as any safety, security or operational deviation in the areas of HIC in terms of people, organisation, IT and physical locations. HIC requires all staff, clients, suppliers and third parties to report a suspected incident immediately. This SOP describes procedures to follow when an incident occurs. An incident might be;

  • A people incident such as an employee accident.

  • An organisational incident where there is a deviation from policy, procedures, regulations such as GDPR (may or may not include data breach), analyses that raise potential NHS Clinical Governance, criminal or reputational issues, or an extended services outage.

  • An IT incident where a technical issue or unauthorised access is detected or there is total loss of IT services.

  • A physical location incident such as fire, power/ Wi-Fi outage or theft.

SCOPE

This SOP covers all of HIC. 

RESPONSIBILITIES

ROLE

RESPONSIBILITY

All Staff, Suppliers, Third Parties, Clients

  • Immediately report suspected incident

  • Implement corrective actions

Governance & Project Co-ordinator

  • Co-ordination of incident reporting

  • Monitoring of incident corrective actions

Incident Response Team (IRT)

  • Assess, respond and escalate incidents appropriately

Line Manager

  • Initially assess, respond and escalate incident

  • Hold team members accountable for corrective actions

PRINCIPLES 

  • Risk-Based Assessment and Response: Prioritise assessing potential risks to individuals arising from any security incident, considering the impact on privacy, safety, and individual freedoms.

  • Transparent and Prompt Communication: Communicate incidents to affected individuals and relevant authorities promptly, particularly when their rights or freedoms may be compromised, ensuring transparency without delay.

  • Accountability and Role Clarity: Clearly identify and empower a lead for each data processing activity to act as a point of accountability during a security incident response.

  • Timely Notification and Provisional Reporting: Notify relevant internal and external stakeholders within agreed timeframes, even if all details are not immediately available, to maintain trust and responsiveness.

  • Comprehensive Information Disclosure: Ensure that both individuals and relevant authorities receive the necessary information about an incident, including potential protective actions for individuals to mitigate further risks.

  • Consistent Documentation and Record-Keeping: Maintain thorough records of all security events, documenting the scope, impact, and handling of each event, whether or not they necessitate formal reporting, to support continuous improvement and accountability.

PROCEDURE

...

  1. Report Incident

    • All Staff must report any suspected incident immediately to their Line Manager or member of the Leadership Team. All Suppliers, Third Parties, and Clients must report suspected incident immediately to hicsupport@dundee.ac.uk.

  2. Assess

    • Line Manager will initially assess the incident and inform IRT. The incident will be assessed based on the severity and classified by category;

      • Category 1: Internal Incident - Deviation from HIC safety, security and normal operations in the area of people, organisation, IT and physical locations. Deviation from documented policy, processes, and knowledge items.  It may involve data but is contained within HIC Secure Environment. 

      • Category 2: A personal data breach has occurred with no, or low, resulting risk to data subject(s) rights and freedoms - The event is considered unlikely to result in a significant risk to data subject(s) so there is no requirement to report to the Information Commissioner’s Office (ICO), however, the reasons for not doing so will be included within the incident report. The University of Dundee Data Protection Officer (DPO) will be informed and a copy of the finalised report will be sent to them.

      • Category 3: A personal data breach has occurred with high resulting risk to data subject(s) rights and freedoms - Immediately contact Data Controller, University and NHS DPO and TASC Governance Manager to discuss and confirm the likely need to notify the ICO. Any ICO notification needs to be done within 72 hours of initially becoming aware of the incident. An initial report must be prepared within 24 hours.

  3. Respond & Escalate

    • IRT will take immediate action to limit impact of the incident.

    • Depending on the category and details of the incident, the Business Continuity and Disaster Recovery Plan will be enacted as a response.

    • Appropriate affected internal and external stakeholders will be notified. Refer to the Contacts section in the Business Continuity Plan. 

    • If the incident is identified in relation to a technical issue the System Administrator should be notified immediately. The severity of the issue will be assessed and one of three courses of action taken:  

      • Suspend all use of the affected service and any other affected part of HIC IT Systems or Infrastructure, until investigation is completed. 

      • Suspend only those HIC Technical staff or Approved Users who are part of the Project Group under investigation.  

      • Do nothing and monitor use whilst investigating the Incident. 

    • For categories 2 and 3, Data Protection Officer of the University of Dundee (UoD) or NHS will be informed for potential reporting to the ICO.   

      • In the event of an NHS data breach, the UoD Data Protection Officer will be kept informed, while the NHS Data Protection Officer will be responsible for reporting to the ICO.  

      • The Governance and Project Co-ordinator or nominated deputy will provide sufficient initial information about the breach, within the documented incident report, to enable an effective and prompt initial ICO report to the Data Controller and Data Protection Officer, within 24 hours:  

        • a description of the nature of the personal data breach including, where possible:  

          • the categories and approximate number of individuals concerned.  

          • the categories and approximate number of personal data records concerned.

          • the name and contact details of the data protection officer or other contact point where more information can be obtained.

          • a description of the likely consequences of the personal data breach.

          • a description, as much as possible at this early stage, of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.  

      • The Governance and Project Co-ordinator will advise and keep track of the 72 hour reporting deadline as the reporting process progresses, to help ensure this is met.  

    • Responding to analyses that raise potential NHS Clinical Governance, criminal or reputational issues.

      • Analyses for academic purposes may identify care which raises concerns about patient safety, broader clinical governance or the reputation of particular professionals, institutions or whole systems of care.

      • Additionally if any prima facie indications of malicious or potentially fraudulent or otherwise criminal activity associated (directly or indirectly) with the study are uncovered during the course of the study, those concerned need to act with speed and in confidence, taking actions that are in proportion to the size and severity of the suspected risk and consider legal risks such as defamation and a court’s ability to demand records.

      • HIC has limited resources to investigate such issues and it will usually be most appropriate for HIC to confine its role to alerting the NHS Medical Director to a potential problem and suggesting how this might be investigated. However, in circumstances suggesting risk to individuals or organisations, everyone using HIC services has an obligation to alert senior HIC staff who will in turn promptly alert the Medical Director within the relevant Health Board in the first instance, if there are serious grounds for concern.   

      • If an Approved Data User believes that their analysis raises such concerns, then they should initially report them in confidence to a HIC point of contact, who will ensure that they are rapidly considered by a senior clinical member of the HIC Leadership Team who is independent of the project.  If necessary, the HIC Academic Lead may consult others, for example Clinical Lead from HIC Executive, confidentially on the implications of the analysis, for example drawing on specialist expertise, to inform a decision about whether the analysis suggests a problem that requires action by HIC  and/or the NHS.

      • It is not possible to pre-specify all situations, but they are likely to fall into one of these classifications:   

        • No Clinical Governance issues identified, or minor issues  

        • Significant Clinical Governance issues identified.  

        • Significant issues AND risk to patients, or likely to cause damage or distress.  

      • Academic Lead Actions 

        • Decision that there is no significant clinical governance or reputational issue identified:  

          • Document the rationale for the decision.  

          • Decision that there is a potential quality of care, criminal or reputation issue identified, but that no immediate risk to patients exists.

          • Notify Medical Director within the relevant Health Board giving 30 days’ notice prior to publication.

          • Document the rationale for the decision. 

        • Decision that there is the potential for a high risk, patient safety, criminal or reputational issue to arise (likely to be rare):  

        • Urgently notify the Medical Director within the relevant Health Board that in the opinion of  HIC, there is a potential risk to patients or reputation.  If necessary, and if HIC resources allow, HIC  to work with the relevant Health Boards to ascertain whether further analysis would be helpful before NHS action (e.g.  since many analyses do not use the most current data, consider whether the analysis needs to be repeated in more recent data; consider whether de-anonymisation is required to identify patients needing intervention) . Support Health Board action in monitoring the effects of any intervention, if HIC  resources allow. 

  4. Document

    • Staff involved in reporting, assessing, and responding will document the event on the incident ticket in the project management system.

  5. Review

    • Documented incident will be reviewed by those involved, to identify root cause, lessons learned and enable corrective actions for training or process improvements to take place. 

    • Governance & Project Co-ordinator or delegated individual shall monitor completeness of corrective actions assigned.

    • Governance & Project Co-ordinator or delegated individual will report the incident to Leadership Team, ISMS Management Review, Executive and Information Security & Governance Committee.

    • Governance & Project Co-ordinator to update Incident Standard Operating Procedure as appropriate from review or feedback on procedure during an incident.

APPLICABLE REFERENCES

  • For Definitions see ISMS Glossary

  • Business Continuity Plan

  • Disaster Recovery Plan

DOCUMENT CONTROLS

Process Manager

Point of Contact

Symone Sheane

hicbusiness-support@dundee.ac.uk 

...