Personal data breaches are defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
They can be categorised into:1
- confidentiality breach: an unauthorised or accidental disclosure of or access to personal data (this type of breach is most common with patients' records)
- availability breach: an accidental or loss of access to or destruction of personal data (for example, the sort of problem that might arise after a cyberattack that prevented access to and/or destroyed records)
- integrity breach: unauthorised or accidental alteration of personal data.
A data breach may involve all three categories, depending on the circumstances.
You must report a data breach to the Information Commissioner's Office (ICO) no later than 72 hours of becoming aware of the breach if it is likely to result in a "risk to the rights and freedoms of individuals".
NHS/mixed practices in England should report a data breach using the Data Security and Protection Incident Reporting tool, which will report relevant incidents to NHS Digital, the Department of Health, the ICO and other regulators.
Private practices in England that are not contracted by a public sector organisation can choose whether they report a data breach using the Data Security and Protection Incident Reporting tool or by using the ICO breach reporting tool.
In Scotland, Wales and Northern Ireland, all practices should report a data breach using the ICO breach reporting tool in each jurisdiction (see links below).
Not every data breach meets the threshold for notification to the ICO. To identify those that do, members can access the ICO's self-assessment breach tool on the organisation's website.
For data breach reporting enquiries, you can also call the ICO helpline on 0303 123 1113, which is available Monday to Friday between 9am and 5pm.
If there is an urgent security related incident that requires immediate assistance and support, you can contact the Data Security Centre helpdesk on 0300 303 5222 or firstname.lastname@example.org. Local incident management must still be carried out in the normal way.
Breach notification must include:
- the nature of personal data breach, including:
- the categories and approximate number of individuals concerned
- categories and approximate number of personal data records concerned
- name and contact details of DPO or other contact point
- description of likely consequences of personal data breach
- description of measures taken or proposed to be taken to deal with personal data breach, including measures to mitigate possible adverse effects.
The UK GDPR states that you should inform the data subject if a breach is likely to result in a high risk to their rights and freedoms. This is a higher level of risk than one that triggers a notification to the ICO.
An accidental disclosure of patient records, for example, is likely to produce a high risk to the rights and freedoms of patients, requiring you to inform the data subjects. This is because of the significant impact on the affected patients due to the sensitivity of the data and the potential for confidential medical details to become known to others.
Failure to notify a breach to the ICO appropriately can result in an administrative fine much higher than fines for breaching the Data Protection Act 2018. This could be up to £8.7 million, or 2% of your global turnover.
You should make sure all staff, including trainees, are aware of what constitutes a data breach and induction procedures should ensure that all staff receive GDPR training. You should also have robust procedures in place to detect, investigate and report breaches which should include a named person (such as the DPO) to lead on the local investigation and incident management.
GDC guidance on data breaches
The GDC's Standards for the Dental Team does not make specific reference to data breaches, but Standard 1.3 says "You must be honest and act with integrity."
When read in combination with Standard 4.5.1 - "You must make sure that patients' information is not revealed accidentally and that no-one has unauthorised access to it by storing it securely at all times" - it would seem sensible to inform patients of any data breaches, even if it is not mandatory under the UK GDPR.
This page was correct at publication on 12/08/2022. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.