quote HEE facebook linkedin twitter bracketDetail search file-download keyboard-arrow-down keyboard-arrow-right close event-note
Workforce, training and education

You are here

  1. Home
  2. Incident Reporting Policy 2021

Incident Reporting Policy 2021

1. Introduction

1.1 Practicing efficient incident reporting and management is essential to HEE’s com-pliance with data protection legislation and ensuring that confidentiality is respect-ed while risks to information are appropriately managed. Incident reporting is the responsibility of all members of staff.

1.2 It is a legal obligation under the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018 (DPA) to report personal data breaches, that are likely to result in a risk to the rights and freedoms of individuals, to the Information Commissioner’s Office (ICO) within 72 hours.

1.3 HEE is therefore committed to ensuring that an incident management process is in place and used effectively as part of its approach to incident and information risk management.

1.4 Incidents may occur in any area of the organisation or within commissioned ser-vices.

1.5 Reporting and investigating incidents enables HEE to highlight any areas of vul-nerability; identify where greater awareness is needed and where policies and pro-cedures may need updating; and to prevent or minimise the likelihood of incidents recurring in the future.

1.6 Together they achieve the following:

  • Clarification of roles and responsibilities of members of staff regarding the management of incidents;
  • Setting of standards regarding investigation and analysis; and
  • Setting of standards regarding the development and implementation of risk reduction strategies.

2. Purpose

2.1 HEE aims to be an organisation with a memory, learning lessons from its inci-dents. The purpose of this policy is to ensure that HEE manages and investi-gates all reported incidents in accordance with best practice; learning and shar-ing lessons learned and, taking appropriate action to protect individuals and the organisation from harm by:

  • recording and investigating incidents;
  • regular monitoring of incident data and appropriate reporting to the Audit Committee;
  • timely and effective reporting to statutory agencies;
  • promotion of a just and fair culture;
  • minimising loss of reputation, or assets;
  • ensuring that lessons are learned from incidents to prevent such in-cidents recurring;
  • ensuring that HEE complies with current legislation, policies and best practice
  • ensuring the Senior Information Risk Owner (SIRO) is aware of in-formation security incidents and cyber security incidents
  • ensuring a standardised approach to the management of Information Governance (IG) and cyber security incidents within HEE
  • ensuring that learning from incidents is an integral part of HEEs culture
  • providing information to the accountable officer regarding incidents where fraudulent activity is suspected.
  • promoting a culture of accountability without blame.

2.2 The principles underlying HEE’s approach are given below:

a) Ensuring Confidentiality

2.3 The incident reporting forms may include personal and special category infor-mation. All information relating to incidents will be stored securely in accord-ance with the GDPR and the DPA. Members of staff should use Office 365 as a secure way of sharing a completed incident form wherever possible. Should documents need to be posted, members of staff must use a sealed envelope to a named individual and mark it as ‘confidential’ and to ‘addressee only’.

2.4 Any requests to keep an individual’s identity confidential will be respected as far as possible and in-line with current legislation.

b) Learning from Incidents

2.5 An incident, however serious, is rarely caused wilfully. Incidents are often caused by several factors such as:

  • Process problems
  • Human error
  •  Lack of knowledge or skills
  • Accessing fraudulent websites
  • Clicking on links within phishing emails

2.6 Learning from incidents can only take place when they are reported and investigat-ed in an open and structured way. Determining safe practice and ensuring compli-ance with legislation is an important part of successful incident and risk manage-ment. Avoiding blame and adopting a culture of learning from incidents promotes a fair and open culture and a safe environment throughout the organisation.

2.7 HEE aims to ensure, as far as reasonably practicable, that there is appropriate learning from incidents. Incidents will be investigated as appropriate to ascertain the root cause of the problem and to enable HEE to learn from any mistakes and minimise the risk of recurrence.

2.8 IG and IT colleagues investigate and manage all IG and cyber security incidents and provide members of staff with guidelines on identifying and reporting inci-dents as outlined in this document.

2.9 This policy ensures Caldicott 2 recommendations are addressed and contractual obligations are adhered to with regards to managing, investigating, and reporting within a standardised and consistent manner.

c) Just and Fair Culture

2.10 HEE is committed to promoting an open and fair culture where members of staff feel able to report incidents or near misses and learn from mistakes without fear of recrimination.

2.11 All members of staff will be encouraged to recognise potential risks and feel supported in the reporting of an incident in a no blame culture. Exceptions to this are where the organisation’s policies and guidelines are deliberately breached or there is wilful misconduct or negligence.

3. Scope

3.1 This policy is relevant to all departments and functions within HEE and those work-ing on behalf of HEE. It covers all activities carried out that involve the use of per-sonal and / or special category data.

3.2 There are two pathways by which incidents are reported and subsequently managed depending on the type of incident. The pathways are:

• IG and Cyber Security incidents as detailed in Annex A to C of the IG and Cyber Security Incident Management and Reporting Procedure document.

• Health & Safety Incidents as detailed in the Incident Reporting in-cluding RIDDOR (Health & Safety) SOP

4. Definitions

a) Confidentiality, Availability & Integrity (CIA) Triad

Collectively known as the 'CIA triad', confidentiality, integrity and availability are the three key elements of information security. If any of the three elements is compromised, then there can be serious consequences, both for HEE as a data controller, and for the indi-viduals whose data are being processed

b) IG & Cyber Incident

 A personal data breach (or IG breach) is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, per-sonal data.

A cyber incident is a breach of a system’s security policy in order to affect its integrity or availability and / or the unauthorised access or attempted access to a system or systems; inline with the Computer Misuse Act 1990.

Incidents may be caused by; human error, systems failure, a combination of several small mistakes occurring at the same time or, a cyber attack

c) Health & Safety Incident

A health and safety incident or accident is any unplanned event that resulted in injury or ill health of people, or damage or loss to property, plant, materials or the environment or a loss of business opportunity.

d) Near Miss (prevented incident)

A near miss or prevented incident is an incident that has the potential to cause harm but was prevented from happening; this includes IG, cyber and health and safety incidents that did not lead to harm, loss or injury, disclosure or misuse of confidential data but had the potential to do so.

e) No Harm

A no harm incident is one where the incident happened but no harm resulted from it. An example of a no harm incident would be emailing confidential, password protected, data file to an incorrect recipient but not sending the password rendering the file inaccessible.

f) Notifiable Incident or Serious Incident Requiring Investigation

Any incident that creates a significant risk to the rights and freedoms of the individual is classed as ‘notifiable’ and must be reported to the Information Commissioners Of-fice (ICO) via the Data Security and Protection Toolkit (DSPT) within 72 hours of be-coming aware of the incident. The IG Team are responsible for reporting notifiable incidents within the Toolkit.

g) Personal Data

Personal data refers to any information relating to a living person (a ‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or so-cial identity of that person. . The GDPR applies to both automated personal data and to manual filing systems, where personal data is accessible according to specific criteria, as well as to chronologically ordered data and pseudonymised data, e.g. key-coded.

h) Special Category data

Special category data (or sensitive personal data) is personal data that is deemed more sensitive, and therefore needs more protection. In particular, this type of data could cre-ate more significant risks to a person’s fundamental rights and freedoms for example, by putting them at risk of unlawful discrimination. The following information about an individ-ual is categorised as special category data:

  • race.
  • ethnic origin.
  • politics.
  • religion.
  • trade union membership.
  • genetics.
  • biometrics (where used for ID purposes).
  •  health.
  • sex life.
  • sexual orientation.

5. Incident Reporting Overview

5.1 In-line with Data Protection legislation, a personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, altera-tion, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

5.2 All IG and cyber security incidents will be investigated, assessed, categorised and reported by the IG Team (with delegated responsibility of the Data Protec-tion Officer (DPO)) using the NHS Digital Guide to the Notification of Data Secu-rity and Protection Incidents.

5.3 The IG team will ensure that all members of staff are made aware of, and under-stand, what constitutes a data breach as part of their mandatory training and via ad-hoc training sessions as requested.

5.4 All incidents are graded according to the significance of the breach and the like-lihood of those serious consequences occurring. Incidents are also graded ac-cording to the impact on the individual or groups of individuals and not the or-ganisation.

5.5 Where a breach is likely to result in a risk to the rights and freedoms of individ-uals, the ICO and the Department of Health and Social Care (DHSC) (where applicable) will be informed within 72 hours of HEE becoming aware of them.

5.6 In the event that a breach is likely to result in a high risk to the rights and free-doms of an individual, HEE will notify the individuals concerned directly.

5.7 In the event that a breach is sufficiently serious, the public will be notified with-out undue delay

5.8 Effective and robust breach detection, investigation and internal reporting pro-cedures are in place at HEE, which facilitate decision-making in relation to whether the ICO, an individual or the public need to be notified.

5.9 Within a breach notification, the following information will be outlined:

  • the nature of the personal data breach, including the categories and approxi-mate number of individuals and records concerned.
  • the name and contact details of the DPO.
  • an explanation of the likely consequences of the personal data breach.
  • a description of the proposed measures and actions taken to be taken to deal with the personal data breach.
  • where appropriate, a description of the measures taken to mitigate any possi-ble adverse effects.

5.10 Failure to report a breach to the ICO when required to do so, could result in a monetary penalty.

6. Duties

6.1 All members of staff are responsible for reporting incidents and highlighting any risks or issues to the IG Team which could warrant further investigation.

6.2 Members of staff should:

  • ensure that all IG incidents are reported to the IG team within 24 hours
  • ensure that all cyber security incidents are reported to the IG team with-in 12 hours
  • cyber incidents should also be reported to Local IT leads as soon as possible
  • familiarise themselves with the IG and cyber security incident pro-cedure
  • take steps to mitigate incident risks
  • take steps to contain an incident (only when advised by the IG and/or IT teams)
  • encourage members of staff in their directorate/departments follow HEEs procedures and guidance documents
  • be fully open and co-operative with any investigation process

6.3 The final review of all electronic incident forms, by the IG team, will ensure that investigation and feedback to members of staff has been carried out.

6.4 Reports on incident numbers, trends and themes will be provided to the Audit Committee together with an Annual Report.

6.5 The Board has ultimate responsibility for the management of risk and for agreeing the annual Statement of Internal Control.  It receives reports and as-surance from the governance committee on the quality and safety of services and assurances of the effectiveness of risk reduction strategies.

6.6 The Board has delegated its powers to the Executive Team to identify and manage risks on its behalf.

6.7 The Chief Executive is responsible for this policy and has overall accountability for risk management and the safety of visitors and members of staff. The Chief Executive is ultimately responsible for ensuring all investigations are dealt with appropriately.

6.8 The Executive Team will monitor the incident reports.

6.9 National and Regional Directors should acknowledge, investigate (where appropri-ate) and provide feedback to their members of staff; ensuring that appropriate ar-rangements are in place for implementing the incident reporting procedure and cre-ating an open and fair culture.

6.10 The Director of Finance is the accountable officer for incidents where fraudulent activity is suspected including cyber security. Such information should be report-ed to the Director of Finance with immediate effect. In the absence of the Director of Finance such matters may be reported to the Local Counter Fraud Specialist (LCFS) or the National Fraud Reporting line - please refer to HEE’s Counter-Fraud and Anti-Bribery Policy.

6.11 The Director of Corporate Accountability and Engagement is the appointed SIRO for HEE and is therefore responsible for ensuring that a robust inci-dent reporting process is in place.

6.12 HEE’s Executive Director of Education & Quality and National Medical Di-rector is the appointed Caldicott Guardian for HEE And is the person re-sponsible for protecting the confidentiality of service-user information and enabling appropriate information sharing and championing Caldicott at the Board.

6.13 HEE’s Audit Committee assists the Board by carrying out a review of the effectiveness of the management of risk activities, providing assurance and an independent overview on risk management.

6.14 The Audit Committee will be made aware of reports on incidents reported under the policy to enable trends and patterns to be identified.  An annual risk man-agement report will also summarise incidents reported under the policy in the year and identify any trends and lessons learned.

7. Equality Analysis

7.1 As a public body, HEE will give due regard to the need to avoid discrimination and promote equality of opportunity for all members of staff when making policy decisions and implementing this Policy and procedures.

7.2 HEE will also be monitoring the outcome of this policy (on an anonymous basis) to sure there are no underlying themes relating to equality or any other charac-teristics that suggest any organisation or policy bias.

8. Education and Training Requirements

8.1 All members of staff will undertake mandatory data security awareness training on an annual basis.

8.2 Ongoing data security training and updated training and guidance material will be provided by the IG Team.

9. Monitoring Compliance and Effectiveness

9.1 HEE’s DPO will instruct the IG Team to undertake data protection and information security audits to monitor compliance with this policy.

9.2 Compliance with this policy will also be monitored but the Information Governance Steering Group together with internal audits where necessary

9.3 The DPO is responsible for monitoring, revision and update of this policy document on a tri-annual basis, or sooner should the need arise.

10. Associated Documentation

10.1 This policy will be implemented in conjunction with the following HEE policies:

  • The Information Governance & Cyber Security Incident Management and Reporting Procedures
  • Incident Reporting including RIDDOR (Health & Safety) SOP
  • Information Security Policy
  • Data Protection Policy
  • Information Risk Management Policy
  • Records Management Policy
  • Health & Safety Policy
  • Business Continuity Policy
  • Counter-Fraud and Anti-Bribery Policy

11. References

Return to the top of the page.