The following dilemma is fictional, but based the types of calls we receive from DDU members.
The scene
A member of staff at the practice had accidentally given a patient a paper copy of the surgery day list, which included other patient's names, contact details and medical histories. Our member was seeking advice on what to do next.
DDU advice
Our adviser explained that this unfortunate incident was indeed a GDPR personal data breach, and as such should be treated as an information security Incident. The practice data controller (if this was not the member) and data protection officer (DPO) would need to be informed as soon as possible, as would the patients concerned. The patient should be informed to return the day list to the practice securely, and without delay.
Due to the significant impact on the affected patients, including the potential for confidential medical details to become known to others, our member was advised that notifying the Information Commissioners Office (ICO) that a data breach had occurred was likely to be advised by the practice's DPO.
In this case, the member was advised that any report to the ICO should be made without undue delay, and no later than 72 hours after becoming aware of the breach. A local adverse incident investigation within the practice would also be necessary. Keeping good, clear records at every stage would be important.
Our advisor suggested that in situations such as this, in-house staff training would be appropriate so that lessons could be learned, and to prevent something similar from happening again in the future. The member was very grateful for the advice.
Learning points
An incident like this can happen all too easily, and it's important that robust practice procedures are in place so data breaches can be correctly detected, investigated, managed and reported. As outlined in the GDC's Standards, dental registrants have a professional responsibility to be honest and act with integrity.
GDPR regulations define a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." In this case, both personal data and sensitive personal data had been accidentally disclosed without authorisation, but in nearly all cases, it is sensible to tell patients about any data breaches that occur.
Not every data breach meets the threshold for notification to the ICO. To identify those that do, members can access the ICO's self-assessment breach tool on the organisation's website.
A data breach in Scotland, Wales and Northern Ireland must be reported via the ICO breach reporting tool in each jurisdiction.
All breach notifications need to include the type of personal data breach, including:
- the categories and approximate number of individuals concerned
- categories and approximate number of personal data records concerned
- name and contact details of DPO or other contact point
- description of likely consequences of the breach
- description of measures taken or proposed to deal with the breach, including measures to mitigate possible adverse effects.
In-house policies should include a named person (such as the DPO) to lead on the local investigation and incident management into any data breach.
All staff, including trainees, should be aware of what constitutes a data breach, and induction procedures should ensure that all staff receive GDPR training.