East Surrey Local Health Community Incident Reporting Policy Dated: April 2002 Version: 2.0 Incident Reporting Policy CONTENTS 1 Introduction ............................................................................................... 3 2 What is a non-clinical incident?................................................................. 3 3 How should this be reported? ................................................................... 4 4 How should these be responded to? ........................................................ 5 5 Follow up .................................................................................................. 5 Appendix 1 DRAFT of a non-clinical risk incident reporting form .............. 6 Dated April 2002 Version 2.0 Page 2 of 7 Incident Reporting Policy INCIDENT REPORTING POLICY 1 Introduction 1.1 The Authority/Trust/Practice has a responsibility to monitor all nonclinical incidents that occur within the organisation that may breach security and/or confidentiality of personal information. The Authority/Trust/Practice also needs to ensure that all incidents are identified, reported, monitored. The Authority/Trust Practice already has a method of recording clinical incidents but not necessarily nonclinical incidents relating to breaches of security and confidentiality. 1.2 The document attempts to detail the process of identifying, recording and monitoring non-clinical incidents. This is a requirement of the Caldicott recommendations and BS7799. 2 What is a non-clinical incident? 2.1 A non-clinical incident relating to breaches of security and/or confidentiality could be anything from users of computer systems sharing passwords to a piece of paper identifying a patient being found in the high street. 2.2 A security incident might be a ‘usual’ everyday event e.g. accidentally entering the wrong password or the wrong user id, forgetting to change a password within a specified time period. 2.3 A security incident might be an ‘unusual’ event e.g. something odd happening on the screen, a computer file disappearing, an unaccompanied stranger in a restricted area. 2.4 An IM&T security incident is defined as any event that has resulted or could result in: 2.5 The disclosure of confidential information to any unauthorised person The integrity of the system or data being put at risk The availability of the system or information being put at risk An adverse impact e.g. o Embarrassment to the NHS o Threat to personal safety or privacy o Legal obligation or penalty o Financial loss o Disruption of activities All incidents should be reported to the immediate line manager, security officer and Caldicott Guardian. Dated April 2002 Version 2.0 Page 3 of 7 Incident Reporting Policy 2.6 Some incidents may impact on other parts of the NHS e.g. a virus and if this is the case the incident should be reported to the NHS Information Authority Security and Data Protection officer. 2.7 Some examples of these types of incidents include: Finding computer printout of patient details at the play group Finding a clinic list, the back of which is used for a shopping list, in the supermarket Finding a patient manual record in a ladies toilet within a hospital site Finding a patient record in the back of an unattended wheelchair used by porters to move patients Identifying that a fax that was thought to have been sent to a GP had been received by a private householder Giving out identifiable information about an individual over the telephone Loosing a laptop computer with personal information on it Giving information to someone who should not have access to it – verbally, in writing or electronically Accessing a computer database using someone else’s authorisation e.g. someone else’s user id and password Trying to access a secure area using someone else’s swipe card or pin number when not authorised to access that area Finding your PC and/or programmes aren’t working correctly – potentially because you may have a virus Software malfunction Sending a sensitive e-mail to ‘all staff’ by mistake Finding an employees password written down on a ‘post-it’ Finding someone has tried to ‘break in’ to the office/building 3 How should this be reported? 3.1 All employees (contracted and non-contract) should be made aware through their contract of employment, training and by their manager of what is considered to be an incident. 3.2 They should be made aware that if they discover something that could be considered as an incident they should report this to their manager and complete a non-clinical risk incident reporting form (a copy of a ‘draft’ form is attached for this purpose at appendix 1). 3.3 This form should be copied to the Security Officer and the Caldicott Guardian and a copy kept within the department. 3.4 The form, which should be numbered, should identify the following: Date of discovery of incident Place of incident Dated April 2002 Version 2.0 Page 4 of 7 Incident Reporting Policy Who discovered incident Details of incident Category/classification of incident Report to senior management if risk to organisation and/or patient care Any action taken by person discovering incident at time of discovery Date incident reporting form has been sent to the security officer and/or Caldicott Guardian Action taken by security officer and/or Caldicott Guardian/Group to ensure incident does not occur again Follow-up action to check no re-occurrence of incident 4 How should these be responded to? 4.1 Incident reporting forms should be sent to the security officer and the Caldicott Guardian. If there is a Caldicott group or other group looking at security and confidentiality issues the form should also be sent to that group. 4.2 The Guardian and/or group should log the incident to enable a central register to be maintained of all incidents occurring within the organisation. 4.3 All registered incidents should be re-evaluated after a 6 month period to ensure the type of incident is no longer being reported or the volume of those types of incidents has dramatically reduced. 4.4 If there is no change in the volume of each type of incident the senior management should be alerted and appropriate action taken. This could be further training courses for staff or an improvement to existing security and/or confidentiality arrangements. 4.5 Some incidents may involve the invoking of the Authority/Trust/Practice Disciplinary Procedures. Incidents that are deemed to be a disciplinary offence are detailed within the Disciplinary Procedures. 5 Follow up 5.1 Incidents should be used in training sessions about security and confidentiality as using ‘real life events’ relevant to an organisation can always be related to, by staff, a lot better than imaginary events. This will give attendees an example of what could occur, how to respond to such events and how to avoid them in the future. Dated April 2002 Version 2.0 Page 5 of 7 Incident Reporting Policy Appendix 1 DRAFT of a non-clinical risk incident reporting form Non-clinical risk incident reporting form Form number: Details of incident Place of discovery Who discovered Date of discovery Action taken by discoverer Reported to Date Category/classification incident of Please note: Classifications to be agreed by health community – to ensure consistency. Existing NHS classifications seem too complex and non identified in BS7799 – maybe check GAP analysis software Date reported to senior management Date reported to Caldciott Guardian Date Incident form sent to Security Officer Action taken management by senior Action taken by Caldicott Guardian Action taken by Security Officer Follow-up undertaken by check Date Dated April 2002 Version 2.0 Page 6 of 7 Incident Reporting Policy How to complete the form Complete all sections of the form and send a copy to the relevant Authority/Trust/Practice personnel. The areas below are designed to assist with the completion of the form What needs to be reported? An incident is anything that happens to any type of information that should not occur e.g. breach of confidentiality/breach of security. Some more common areas are listed below but this list is not exhaustive and should be used as guidance. If there is any doubt as to what you have found being an incident it is best to report it to the relevant personnel for their decision – by completing the form. Examples of incidents Breach of security Loss of computer equipment due to crime or an individual’s carelessness Loss of computer media e.g. floppy disc, CD due to an individual’s carelessness Accessing any part of a database using someone else’s authorisation either fraudulently or by accident Trying to access a secure part of the organisation using someone else’s PIN number, swipe card Finding the doors and/or windows have been broken and forced entry gained to a secure room/building Breach of confidentiality/security Finding a computer printout with a header and a persons information on it at a location outside of any Authority/Trust/Practice premises/building Finding any paper records about a patient/member of staff or business of the organisation in any location outside of the Authority/Trust/Practice premises/buildings Being able to view patient records in the back (or front) of an employees car (e.g. Doctors and Nurses) Discussing patient or staff personal information with someone else in an open area where the conversation can be overheard A fax being received by the incorrect recipient Dated April 2002 Version 2.0 Page 7 of 7