News and presentations from todays conference.
A Step by Step Guide to Investigating a Data Breach
Barry Moult, Information Governance Consultant, Chair Eastern Region Information
Forum. Former Chair, Regional Strategic Information Governance
Network (East of England). DPO for GP Practices and IG Consultant, Data
Privacy Trainer
• 72 hours in the life of a data breach
• undertaking an incident investigation
• investigating the root causes of breaches and near misses
• using the five W’s
• preparing the report
• Implications of data breaches and effective reporting and management of information governance serious incidents
Barry started his presentation by stating that GDPR calls on all organisations to report data breaches. He advised not to be caught out, as soon as a data breach is raised it's important to work through the whole process of what has happened. Apply lean thinking from start to finish, and have training on this with all IG staff, include SIROs and Caldicott Guardians. Barry said you need to think; what are the risks, how is the breach going to affect individuals, do we have robust investigation in place, how are we going to record the breach and investigation, and don't forget the Data Security and Protection Toolkit (DSPT) needs to be completed.
Following the breakout discussion common data breaches include; letters sent to the wrong patients, emails to the wrong people or the wrong attachments, lost laptops.
Barry said there are different ways to investigate, but you need to ask; what you are investigating, how did it happen - was it personal error, an accident, deliberate - what has the incident happened, when did it happen, why did it happen? He said; "Any data incident is serious and needs to be investigated, some of the incidents are very near misses...and could have been catastrophic for your organisation or patients." Barry went on to say after investigation we need to decide if it should be reported to the ICO and also determine lessons learnt as prevention is better than cure, we need to minimise risk of data incidents happening.
Identifying and risk assessment of a data breach
Caroline Law
Regional SIGN Chair
• identification of data breaches
• risk-assessing data breaches
• who should be informed of the data breach? Internal & External
• ensuring no further data leakage occurs
• understanding the sensitivity of the data including likelihood and severity of risk