Managing a data breach

Q. What should we do when we suspect we have a personal data breach in the practice?

A. 'Personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Example of typical data breaches are:

• Loss or theft of data or equipment on which data is stored;
• Loss or theft of documents/folders
• Unforeseen circumstances such as a flood or fire which destroys information
• Inappropriate access controls allowing unauthorised use;
• A hacking/cyber-attack (such as ransomware)
• Obtaining information from the practice by deception;
• Misaddressing of e-mails/human error (sending a copy of a laboratory report or radiology result to a wrong patient).

It is important to note that breaches also include the accidental loss of personal data (eg. fire causing the loss of paper files). In addition, statistics indicate that most breaches are internal in nature and due to non-malicious user behaviour (eg. loss of unencrypted laptop or USB, files etc). There is a 'protocol for managing a data breach' and a 'data breach reporting template' available in the appendices section of the ICGP Data Protection Guideline, available at www.icgp.ie/data.