Embed Size (px)
Citation preview
1 Information Governance Incident Reporting Procedure Version 3.0
Information Governance Incident Reporting Procedure
Version: 3.0
Ratified by: NHS Bury CCG Quality and Risk Committee
Date ratified: 15th February 2016
Name of originator /author (s):
Information Governance Manager
Responsible Committee / individual:
NHS Bury CCG Quality and Risk Committee
Date issued: 14th March 2016
Review date: March 2018
Target audience: NHS Bury Clinical Commissioning Group Members, staff, volunteers and contractors
Equality Analysis Assessed:
Yes
2 Information Governance Incident Reporting Procedure Version 3.0
Further information regarding this document
Document name Information Governance Incident Reporting Procedure CCG.GOV.020.3.0
Category of Document in The Policy Schedule Governance
Author(s) Contact(s) for further information about this document
Information Governance Manager
This document should be read in conjunction with
All Information Governance Policies
This document has been developed in consultation with
NHS Bury CCG Information Governance Operational Group
Published by
NHS Bury Clinical Commissioning Group
21 Silver Street
Bury
BL9 0EN
Copies of this document are available from
CCG Corporate Office
CCG website
Version Control
Version History:
Version Number Reviewing Committee / Officer Date
3.0 = policy once reviewed
NHS Bury Clinical Commissioning Group, Quality and Risk Committee
15th February 2016
3 Information Governance Incident Reporting Procedure Version 3.0
Information Governance Incident Reporting Procedure
Table of Contents 1. Introduction ................................................................................................................... 4
2. Purpose ......................................................................................................................... 4
3. Definitions ..................................................................................................................... 4
4. Roles and Responsibilities ............................................................................................. 6
5. The Process for Reporting Information Governance Incidents ....................................... 6
6. Cyber Security Incident Reporting and Management Process......................................... 9
7. Reporting .................................................................................................................... 10
8. Closure and Lessons Learned from the IG Incident ..................................................... 12
8. Training and Awareness .............................................................................................. 12
9. Accountability, Responsibilities and Training ............................................................... 12
10. Monitoring and review ................................................................................................. 13
11. Legislation and related documents .............................................................................. 13
4
Information Governance Incident Reporting Procedure Version 2.1
1. Introduction 1.1 NHS Bury Clinical Commissioning Group (hereafter referred to as the CCG) is committed to a
programme of effective risk and incident management. This procedure explains the system to be used for staff for the recording, reporting and reviewing of Information Governance, Information Security and / or cyber security incidents. Reporting an incident or a near miss is an integral part of personal, clinical and corporate governance.
1.2 Due to the increase in Information Governance and Cyber Security incidents, the HSCIC have
introduced documentation called the “Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation” and on-line reporting via the IG Toolkit. The guidance covers reporting arrangements and actions that need to be taken when an IG incident and / or IG SIRI occurs. It also contains guidance regarding scoring an incident based on numbers of individuals affected together with other sensitivity factors. It is important as it defines when an incident becomes an IG SIRI. For a reported IG incident to become an IG SIRI, a level 2 score has been attained. This then has an effect on how the incident is reported which the HSCIC checklist outlines and the CCG must therefore ensure the correct process is followed.
1.3 The CCG has a responsibility to monitor all Information Governance related incidents that
occur that may breach security and / or confidentiality of personal information.
1.4 All incidents must be reported using the CCG’s Incident Reporting System Safeguard however, when an IG incident occurs there are extra reporting mechanisms the CCG must comply with. This procedure provides details about this.
1.5 This procedure applies to all staff who work for or on behalf of the CCG. Third party
contractors and others (e.g. business partners, including other public sector bodies, volunteers, commercial service providers) who may potentially use the CCG’s facilities must be aware of the importance of reporting perceived or actual events.
2. Purpose 2.1 This document sets out the directions across Bury Clinical Commissioning Group (the CCG)
for the reporting and management of Information Governance / Cyber Security incidents. 2.2 This procedure applies to those members of staff who are directly employed by the CCG and
for whom the CCG has legal responsibility 2.3 For those staff covered by a letter of authority / honorary contract or work experience the
organisation’s policies are also applicable whilst undertaking duties for or on behalf of the CCG.
3. Definitions
3.1 Information Governance Related Incident
An Information Governance or Information Security related incident relates to breaches of security and / or the confidentiality of personal information which could be anything from users of computer systems sharing passwords, to a piece of paper identifying a patient being found in the high street.
Bury
5
Information Governance Incident Reporting Procedure Version
It could also be any event that has resulted or could result in:
The integrity of an information system or data being put at risk
The availability of an information system or information being put at risk
An adverse impact, for example, embarrassment to the NHS, threat to personal safety or privacy, legal obligation or penalty, financial loss and / or disruption of activities
Some more common areas of incidents are listed below but this list is not exhaustive and should be used as guidance only. If there is any doubt as to what you have found being an incident it is best to report it to the relevant personnel for this decision. Breach of security
Loss of computer equipment due to crime or an individual’s carelessness
Loss of computer media, for example, cd’s, memory sticks / USB sticks due to crime or an individual’s carelessness
Accessing any part of a database using someone else’s authorisation either fraudulently or by accident
Breach of confidentiality
Finding a computer printout with personal identifiable data on it in a public area
Finding any paper records about a patient / member of staff or business of the organisation in any location outside secured CCG premises
Being able to view patient records in an employee’s car
Discussing patient and / or staff personal information with someone else in an open area where the conversation can be overheard
A fax being received by the incorrect recipient
3.2 Information Governance Serious Incident Requiring Investigation (SIRI)
There is no simple definition of an Information Governance incident. What may at first appear to be of minor importance may, on further investigation, be found to be serious or vice versa.
As a guide, any incident involving the actual or potential loss of personal information that could lead to identity fraud or have other significant impact in individuals should be considered as serious. This definition applies irrespective of the media involved and includes both loss of electronic media and paper records.
Categorising of the incident assists to distinguish the severity level of the Information Governance related incident and whether it is a SUI or not. This is explained in later sections of this procedure.
3.3 Information Governance Cyber Serious Incident Reporting Investigation
For the purposes of reporting a Cyber incident, it is defined as anything that could (or has) compromised information assets within Cyberspace. These types of incidents include denial of service attacks, phishing emails, social media disclosures, web site defacement, malicious internal damage, spoof website and cyber bullying.
Bury
6
Information Governance Incident Reporting Procedure Version
4. Roles and Responsibilities 4.1 Chief Officer
Has ultimate responsibility for the implementation of the provisions of this procedure. As the ‘Accountable Officer’ they are responsible for the management of the organisation and for ensuring that the appropriate mechanisms are in place to support incident reporting for IG and cyber security incidents.
4.2 Caldicott Guardian
To review and provide feedback regarding an incident where this relates to patient data. This may involve decision making about informing patients regarding an incident or not if this would deem to cause them harm / distress.
4.3 Senior Information Risk Owner (SIRO)
To review Information Governance incidents and report Information Governance and information security issues to the Senior Management Team and ensure that any external reporting of the incident if required is undertaken
4.4 Information Governance Team
To co-ordinate and investigate reported IG incidents, maintain IG Incident Logbook, make recommendations and act on lessons learnt.
To liaise with the CCG Information Governance Lead, CCG SIRO and Greater Manchester Shared Services (GMSS) IT Services / IT Security Manager as appropriate pertaining to cyber security incidents.
To escalate incidents to the CCG Information Governance Lead in order to inform the SIRO, and/or Caldicott Guardian as appropriate.
To grade the incident and report it where necessary on the Information Governance Toolkit Incident Reporting Tool and local IG Incident Logbook.
4.5 CCG IT Manager
To work with IT to investigate the Cyber Security incident, make recommendations and act on lessons learnt.
To liaise with IG Teams as appropriate especially regarding reporting.
To inform the Senior Information Risk Owner, and/or Caldicott Guardian as appropriate.
To grade the incident, and ensure that where necessary it is reported on the IG Incident Reporting Tool – Cyber Security section (through the IG Team).
4.6 GMSS IT Services / IT Security Manager
To alert the CCG IT Manager and IG Team when a member of CCG staff report a potential or actual cyber security incident via Service Now so this can be investigated and assist with the grading of the incident.
5. The Process for Reporting Information Governance Incidents
Bury
7
Information Governance Incident Reporting Procedure Version
5.1 Staff must follow the CCG’s Incident Reporting Procedure in order to report any incident. All Information Security / Information Governance incidents must be reported using this procedure only and no other method.
5.2 Incidents must be logged on the CCGs Safeguard system by the member of staff reporting the incident.
5.3 Once the IG Team have been notified of an incident relating to Information Governance the
team will ensure they are entered on the Incidents Logbook.
5.4 The IG Team will assess the incident and calculate the severity score according to the checklist contained within the “Checklist Guidance for Reporting, Managing and Investigating Information Governance and Cyber Serious Incidents Requiring Investigation (SIRI’s)” Please see link below Annex A:
https://www.igt.hscic.gov.uk/resources/HSCIC%20SIRI%20Reporting%20and%20Checklist%20Guidance.pdf
5.5 The IG Team based at the CCG where the incident has occurred must be notified of all
Information Governance and Information Security incidents as well as logging this following the CCG’s incident reporting processes. The immediate response to the incident and the escalation process for reporting and investigating of incidents will vary according to the severity level of the incident.
5.6 The flowchart (Figure 1) sets out the overall process for reporting, managing and investigating Information Governance incidents for the CCG for incidents scored level 1 and below and level 2 and above (IG SIRI’s).
Bury
8
Information Governance Incident Reporting Procedure Version
Potential or actual Information Governance / Information Security related incident identified
Incident Management – staff member who identified incident must log incident using CCG incident reporting tool (Safeguard) and inform Lead IG / IG Officer in CCG ASAP
Incident Report received by IG Team – logged on IG Incident Logbook
Assessment of severity level for incident by Lead IG / IG Officer and associated personnel (e.g. Information Security Officers, Caldicott Guardian, SIRO, department who have reported incident) using
the HSCIC grading tool
Incident graded at
Level 0 - 1
Incident scored at Level 2 + - Inform CCG
CG & SIRO
Information Governance related
Incident
Information Governance related Serious Incident Requiring
Investigation (SIRI)
Manage locally
Report on IG Incident reporting Tool within 24 hrs (the score can be changed later if needs be)
Investigation
Informs ICO and DH
Final Report (to be fed back to all parties
concerned) and update to Logbook
Close incident and if IG SIRI close on the IGTK Incident Reporting Tool
Feed into training and awareness sessions
Hold Investigation Meeting (IG/CG/SIRO and other relevant parties). Form and document action plan/lessons learned. IG Team produce IG Incident Report
IG Team feedback outcome and update Safeguard, Logbook and IG Toolkit Incident Reporting Tool (amend score if necessary)
Reply to ICO
investigation questions (if sent) & keep
updated
Figure 1: Incident Process Flowchart
Bury
9
Information Governance Incident Reporting Procedure Version
6. Cyber Security Incident Reporting and Management Process 6.1 Figure 2 outlines the incident reporting process for cyber security incidents. In most cases,
staff will report such incidents via the IT helpdesk as they will tend to be IT related such as PC / laptop not working correctly, phishing emails or denial of access to a system or webpage. Due to this, the IG Team are linking with IT services and the GMSS IT Security Manager to capture such recorded incidents. They will be identified through the use of key words and confirmed whether they are cyber security incidents. The notification of this will be forwarded to the IG Team who will then liaise with IT Security staff to assess its severity and sensitivity and graded as per the HSCIC checklist. The incident is logged on the Cyber Security Incident Logbook and updated throughout the investigation process.
6.2 Incidents may also be captured via the CCG’s incident procedure as well. In these cases, the
IG Team will liaise with IT Security Manager to inform them and follow the same process as above.
6.3 For Cyber Security incidents, it is vital that the person responsible for any operational
response, typically the CCG IT Manager is notified and the SIRO kept up to date. 6.4 Cyber security incidents scored Level 2 and above must be logged on the IG Toolkit Incident
Reporting Tool. This then triggers an automated notification email to the Department of Health and HSCIC. Please note the ICO are not informed of cyber incidents scored level 2 and above.
Bury
10
Information Governance Incident Reporting Procedure Version
Figure 2: Cyber Security Incident Reporting Process Step One – Notification from IT Services / GMSS IT Security Manager
7. Reporting 7.1 Reporting in the Annual Governance Statement / Statement of Internal Control
Incidents classified at an IG SIRO level 2 and above are those that are classed as a personal data breach or high risk of reputational damage and are reportable to DoH and ICO. These incidents need to be detailed individually in the annual report / governance statement / Statement of Internal Control as per Table 1 below. Notes to assist in completion of the table can be found in the HSCIC checklist: https://www.igt.hscic.gov.uk/resources/HSCIC%20SIRI%20Reporting%20and%20Checklist%20Guidance.pdf
Bury
11
Information Governance Incident Reporting Procedure Version
Table 1 – Summary Table of IG SIRI’s
SUMMARY OF SERIOUS UNTOWARD INCIDENTS INVOLVING PERSONAL DATA AS REPORTED TO THE INFORMATION COMMISSIONERS OFFICE
[from year to year]
Date of Incident (month)
Nature of Incident
Nature of
data involved
Number of people
potentially affected
Notification Steps
Jan
Loss of inadequately protected electronic storage device
Name, address, NHS number
1,500 Individuals notified by post
Further action on information risk
The CCG will continue to monitor and assess its information risks, in lights of the events noted above, in order to identify and address any weaknesses and ensure continuous improvement of its systems. The member of staff responsible for this incident has been dismissed.
7.2 A summary of IG incidents must also be published in annual reports / governance statement
using the summary table as highlighted in Table 2:
Table 2 – Annual Summary of IG reported incidents below Level 1
SUMMARY OF OTHER PERSONAL DATA RELATED INCIDENTS IN [insert year to year]
Category Nature of Incident Total
A Corruption or inability to recover electronic data
B Disclosed in Error
C Lost in Transit
D Lost or stolen hardware
E Lost or stolen paperwork
F Non-secure Disposal – hardware
G Non-secure Disposal – paperwork
H Uploaded to website in error
I Technical security failing (including hacking)
J Unauthorised access / disclosure
K Other
Please note incidents designated as “pure cyber” are not required to be included in the annual reports and SIC at this time. However cyber incidents that are also IG SIRI’s should be included.
7.3 Reporting by the HSCIC
The document below explains how the HSCIC publish data on IG SIRI’s.
https://www.igt.hscic.gov.uk/resources/SIRI%20Reporting%20Tool%20Publication%20Statement.pdf
Bury
12
Information Governance Incident Reporting Procedure Version
7.4 Reporting to the Information Governance Operational Group (IGOG)
IG incidents are reported routinely at the IGOG Meeting via the IG Key Statistics Report. Lessons learned are discussed and actioned when necessary.
8. Closure and Lessons Learned from the IG Incident
Set target timescale for completing investigation and finalizing report
Report reviewed and signed off by appropriate persons or appraisal group
Identify who is responsible for disseminating lessons learnt
Closure of IG SIRI – only when all aspects, including any disciplinary action against staff, are settled
Update the IG Incident Reporting Tool – The record cannot be closed until all the data fields are populated including ‘Actions taken’ and ‘Lessons Learned.’
HSCIC External IG Delivery Team will be notified by email when an incident is closed and monitor progress
The CCG Board must publish data breaches involving the processing of personal data without a legal basis, where one is required.
Reports of IG SIRIs should be published on the CCG website and can be easily exported from the IG Incident Reporting Tool for publication
8. Training and Awareness
This procedure will be available on the CCG’s Policy Library on the intranet and on the Information Governance page on the staff intranet. Staff are also informed about the reporting of incidents during Mandatory training. Lessons learned from incidents will be fed back into future training or where appropriate to the staff concerned to encourage further participation and demonstrate the value of reporting to the CCG.
The relevant committees in the CCG’s where IG is itemed are made aware of information governance related incidents reported and the associated action plans to mitigate similar incidents occurring in the future.
All staff will continue to be informed about the importance of reporting information governance related incidents via a variety of media such as handouts, leaflets, intranet, newsletter, emails and training sessions.
9. Accountability, Responsibilities and Training
Overall accountability for procedural documents across the organisation lies with the Chief Officer who has overall responsibility for establishing and maintaining an effective document management system, for meeting all statutory requirements and adhering to guidance issued in respect of procedural documents.
Overall responsibility for the Incident Reporting Procedure lies with the Risk Manager who has delegated responsibility for managing the development and implementation of Information Governance Incident Reporting procedural documents.
Bury
13
Information Governance Incident Reporting Procedure Version
The Senior Information Risk Officer (SIRO), with support from the Information Asset Owners, is responsible for any issues of information risk that arise from incidents and ensuring appropriate actions are in place to mitigate future risk.
The Caldicott Guardian is responsible for overseeing and advising on issues of service user confidentiality for the CCG.
Line managers are responsible for ensuring that all staff, particularly new staff, temporary staff, contractors and volunteers, know what is expected of them with respect to confidentiality and protecting information. They are also responsible for monitoring compliance with this guideline e.g. undertake ad hoc audits to check for inappropriate disclosures, records left out, abuse of passwords etc.
Staff are responsible for maintaining the confidentiality of all personal and corporate information gained during their employment with the CCG and this extends after they have left the employ of the CCG.
Individual staff members are personally responsible for any decision to pass on information that they may make.
All staff are responsible for adhering to the Caldicott Principles, the Data Protection Act and the Confidentiality Code of Conduct.
Staff will receive instruction and direction regarding the policy from a number of sources:
Policy /strategy and procedure manuals; line manager;
specific training course;
other communication methods (e.g. team brief/team meetings); staff Intranet;
All staff are mandated to undertake Information Governance training on an annual basis. This training should be provided within the first year of employment and then updated as appropriate in accordance with the Information Governance policy.
10. Monitoring and review
10.1 Performance against Key Performance Indicators will be reviewed on an annual basis and
used to inform the development of future procedural documents.
10.2 This procedure will be reviewed on a yearly basis, and in accordance with the following on an as and when required basis:
legislative changes; good practice guidance; case law;
significant incidents reported; new vulnerabilities; and
changes to organisational infrastructure.
11. Legislation and related documents 11.1 A set of procedural document manuals will be available via the CCG staff Intranet.
11.2 Staff will be made aware of procedural document updates as they occur via team briefs, team
meetings and notification via the CCG staff Intranet.
11.3 All documents in the CCG Policies and Procedures Register are relevant.
