PURPOSE
An incident is defined as any safety, security or operational deviation in the areas of HIC in terms of people, organisation, IT and physical locations. HIC requires all staff, clients, suppliers and third parties to report a suspected incident immediately. This SOP describes procedures to follow when an incident occurs. An incident might be;
A people incident such as an employee accident.
An organisational incident where there is a deviation from policy, procedures, regulations such as GDPR (may or may not include data breach), analyses that raise potential NHS Clinical Governance, criminal or reputational issues, or an extended services outage.
An IT incident where a technical issue or unauthorised access is detected or there is total loss of IT services.
A physical location incident such as fire, power/ Wi-Fi outage or theft.
SCOPE
This SOP covers all of HIC.
RESPONSIBILITIES
ROLE | RESPONSIBILITY |
All Staff, Suppliers, Third Parties, Clients |
|
Governance & Project Co-ordinator |
|
Incident Response Team (IRT) |
|
Line Manager |
|
PRINCIPLES
Risk-Based Assessment and Response: Prioritise assessing potential risks to individuals arising from any security incident, considering the impact on privacy, safety, and individual freedoms.
Transparent and Prompt Communication: Communicate incidents to affected individuals and relevant authorities promptly, particularly when their rights or freedoms may be compromised, ensuring transparency without delay.
Accountability and Role Clarity: Clearly identify and empower a lead for each data processing activity to act as a point of accountability during a security incident response.
Timely Notification and Provisional Reporting: Notify relevant internal and external stakeholders within agreed timeframes, even if all details are not immediately available, to maintain trust and responsiveness.
Comprehensive Information Disclosure: Ensure that both individuals and relevant authorities receive the necessary information about an incident, including potential protective actions for individuals to mitigate further risks.
Consistent Documentation and Record-Keeping: Maintain thorough records of all security events, documenting the scope, impact, and handling of each event, whether or not they necessitate formal reporting, to support continuous improvement and accountability.
PROCEDURE
Report Incident
All Staff must report any suspected incident immediately to their Line Manager or member of the Leadership Team. All Suppliers, Third Parties, and Clients must report suspected incident immediately to hicsupport@dundee.ac.uk.
Assess
Line Manager will initially assess the incident and inform IRT. The incident will be assessed based on the severity and classified by category;
Category 1: Internal Incident - Deviation from HIC safety, security and normal operations in the area of people, organisation, IT and physical locations. Deviation from documented policy, processes, and knowledge items. It may involve data but is contained within HIC Secure Environment.
Category 2: A personal data breach has occurred with no, or low, resulting risk to data subject(s) rights and freedoms - The event is considered unlikely to result in a significant risk to data subject(s) so there is no requirement to report to the Information Commissioner’s Office (ICO), however, the reasons for not doing so will be included within the incident report. The University of Dundee Data Protection Officer (DPO) will be informed and a copy of the finalised report will be sent to them.
Category 3: A personal data breach has occurred with high resulting risk to data subject(s) rights and freedoms - Immediately contact Data Controller, University and NHS DPO and TASC Governance Manager to discuss and confirm the likely need to notify the ICO. Any ICO notification needs to be done within 72 hours of initially becoming aware of the incident. An initial report must be prepared within 24 hours.
Respond & Escalate
IRT will take immediate action to limit impact of the incident.
Depending on the category and details of the incident, the Business Continuity and Disaster Recovery Plan will be enacted as a response.
Appropriate affected internal and external stakeholders will be notified. Refer to the Contacts section in the Business Continuity Plan.
If the incident is identified in relation to a technical issue the System Administrator should be notified immediately. The severity of the issue will be assessed and one of three courses of action taken:
Suspend all use of the affected service and any other affected part of HIC IT Systems or Infrastructure, until investigation is completed.
Suspend only those HIC Technical staff or Approved Users who are part of the Project Group under investigation.
Do nothing and monitor use whilst investigating the Incident.
For categories 2 and 3, Data Protection Officer of the University of Dundee (UoD) or NHS will be informed for potential reporting to the ICO.
In the event of an NHS data breach, the UoD Data Protection Officer will be kept informed, while the NHS Data Protection Officer will be responsible for reporting to the ICO.
The Governance and Project Co-ordinator or nominated deputy will provide sufficient initial information about the breach, within the documented incident report, to enable an effective and prompt initial ICO report to the Data Controller and Data Protection Officer, within 24 hours:
a description of the nature of the personal data breach including, where possible:
the categories and approximate number of individuals concerned.
the categories and approximate number of personal data records concerned.
the name and contact details of the data protection officer or other contact point where more information can be obtained.
a description of the likely consequences of the personal data breach.
a description, as much as possible at this early stage, of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
The Governance and Project Co-ordinator will advise and keep track of the 72 hour reporting deadline as the reporting process progresses, to help ensure this is met.
Responding to analyses that raise potential NHS Clinical Governance, criminal or reputational issues.
Analyses for academic purposes may identify care which raises concerns about patient safety, broader clinical governance or the reputation of particular professionals, institutions or whole systems of care.
Additionally if any prima facie indications of malicious or potentially fraudulent or otherwise criminal activity associated (directly or indirectly) with the study are uncovered during the course of the study, those concerned need to act with speed and in confidence, taking actions that are in proportion to the size and severity of the suspected risk and consider legal risks such as defamation and a court’s ability to demand records.
HIC has limited resources to investigate such issues and it will usually be most appropriate for HIC to confine its role to alerting the NHS Medical Director to a potential problem and suggesting how this might be investigated. However, in circumstances suggesting risk to individuals or organisations, everyone using HIC services has an obligation to alert senior HIC staff who will in turn promptly alert the Medical Director within the relevant Health Board in the first instance, if there are serious grounds for concern.
If an Approved Data User believes that their analysis raises such concerns, then they should initially report them in confidence to a HIC point of contact, who will ensure that they are rapidly considered by a senior clinical member of the HIC Leadership Team who is independent of the project. If necessary, the HIC Academic Lead may consult others, for example Clinical Lead from HIC Executive, confidentially on the implications of the analysis, for example drawing on specialist expertise, to inform a decision about whether the analysis suggests a problem that requires action by HIC and/or the NHS.
It is not possible to pre-specify all situations, but they are likely to fall into one of these classifications:
No Clinical Governance issues identified, or minor issues
Significant Clinical Governance issues identified.
Significant issues AND risk to patients, or likely to cause damage or distress.
Academic Lead Actions
Decision that there is no significant clinical governance or reputational issue identified:
Document the rationale for the decision.
Decision that there is a potential quality of care, criminal or reputation issue identified, but that no immediate risk to patients exists.
Notify Medical Director within the relevant Health Board giving 30 days’ notice prior to publication.
Document the rationale for the decision.
Decision that there is the potential for a high risk, patient safety, criminal or reputational issue to arise (likely to be rare):
Urgently notify the Medical Director within the relevant Health Board that in the opinion of HIC, there is a potential risk to patients or reputation. If necessary, and if HIC resources allow, HIC to work with the relevant Health Boards to ascertain whether further analysis would be helpful before NHS action (e.g. since many analyses do not use the most current data, consider whether the analysis needs to be repeated in more recent data; consider whether de-anonymisation is required to identify patients needing intervention) . Support Health Board action in monitoring the effects of any intervention, if HIC resources allow.
Document
Staff involved in reporting, assessing, and responding will document the event on the incident ticket in the project management system.
Review
Documented incident will be reviewed by those involved, to identify root cause, lessons learned and enable corrective actions for training or process improvements to take place.
Governance & Project Co-ordinator or delegated individual shall monitor completeness of corrective actions assigned.
Governance & Project Co-ordinator or delegated individual will report the incident to Leadership Team, ISMS Management Review, Executive and Information Security & Governance Committee.
Governance & Project Co-ordinator to update Incident Standard Operating Procedure as appropriate from review or feedback on procedure during an incident.
APPLICABLE REFERENCES
For Definitions see ISMS Glossary
Business Continuity Plan
Disaster Recovery Plan
DOCUMENT CONTROLS
Process Manager | Point of Contact |
---|---|
Symone Sheane |
Revision Number | Revision Date | Revision Made | Revision By | Revision Category | Approved By | Effective Date |
---|---|---|---|---|---|---|
1.0 | 11/04/24 | Moved SOP to Confluence from SharePoint and updated into new template | Bruce Miller and Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 11/04/24 |
1.1 | 16/04/24 | Deleted Appendix C from applicable references. No longer an applicable reference used across ISMS. | Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 16/04/21 |
1.2 | 19/04/24 | Updated Approved by title | Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 19/04/24 |
1.3 | 23/04/24 | Updated a grammatical error. Changed Committee’s to Committees. | Symone Sheane | Superficial | Governance Co-Ordinator: Symone Sheane | 23/04/24 |
1.4 | 30/04/24 | Updated Header to conform with BSI guidelines | Bruce Miller | Superficial | Governance Co-Ordinator: Symone | 30/04/24 |
1.5 | 02/05/24 | Updated links to Definitions in ISMS Glossary | Bruce Miller | Superficial | Governance Co-Ordinator: Symone Sheane | 02/05/24 |
1.6 | 10/10/24 | Followed up on suggested changes in comments and updated labels inline with 2022 standard | Bruce Miller | Superficial | Symone Sheane | 17/10/24 |
1.7 | 17/10/24 | Updated Process Manager | Symone Sheane | Superficial | Symone Sheane | 17/10/24 |
1.8 | 07/11/24 | Changed language to from significant event to Incident. Combined Disaster Recovery and Business Continuity Teams into a single Disaster Recovery Response Team. Changed step from informing Leadership to informing all of Incident Response Team. | Symone Sheane | Material | Leadership Team | 07/11/24 |
Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system
prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.