East Surrey Local Health
Community
Incident Reporting Policy
Dated: April 2002
Version: 2.0
Incident Reporting Policy
CONTENTS
1 Introduction ............................................................................................... 3
2 What is a non-clinical incident?................................................................. 3
3 How should this be reported? ................................................................... 4
4 How should these be responded to? ........................................................ 5
5 Follow up .................................................................................................. 5
Appendix 1
DRAFT of a non-clinical risk incident reporting form .............. 6
Dated April 2002 Version 2.0
Page 2 of 7
Incident Reporting Policy
INCIDENT REPORTING POLICY
1
Introduction
1.1
The Authority/Trust/Practice has a responsibility to monitor all nonclinical incidents that occur within the organisation that may breach
security and/or confidentiality of personal information.
The
Authority/Trust/Practice also needs to ensure that all incidents are
identified, reported, monitored. The Authority/Trust Practice already
has a method of recording clinical incidents but not necessarily nonclinical incidents relating to breaches of security and confidentiality.
1.2
The document attempts to detail the process of identifying, recording
and monitoring non-clinical incidents. This is a requirement of the
Caldicott recommendations and BS7799.
2
What is a non-clinical incident?
2.1
A non-clinical incident relating to breaches of security and/or
confidentiality could be anything from users of computer systems
sharing passwords to a piece of paper identifying a patient being found
in the high street.
2.2
A security incident might be a ‘usual’ everyday event e.g. accidentally
entering the wrong password or the wrong user id, forgetting to change
a password within a specified time period.
2.3
A security incident might be an ‘unusual’ event e.g. something odd
happening on the screen, a computer file disappearing, an
unaccompanied stranger in a restricted area.
2.4
An IM&T security incident is defined as any event that has resulted or
could result in:




2.5
The disclosure of confidential information to any unauthorised
person
The integrity of the system or data being put at risk
The availability of the system or information being put at risk
An adverse impact e.g.
o Embarrassment to the NHS
o Threat to personal safety or privacy
o Legal obligation or penalty
o Financial loss
o Disruption of activities
All incidents should be reported to the immediate line manager,
security officer and Caldicott Guardian.
Dated April 2002 Version 2.0
Page 3 of 7
Incident Reporting Policy
2.6
Some incidents may impact on other parts of the NHS e.g. a virus and
if this is the case the incident should be reported to the NHS
Information Authority Security and Data Protection officer.
2.7
Some examples of these types of incidents include:















Finding computer printout of patient details at the play group
Finding a clinic list, the back of which is used for a shopping list, in
the supermarket
Finding a patient manual record in a ladies toilet within a hospital
site
Finding a patient record in the back of an unattended wheelchair
used by porters to move patients
Identifying that a fax that was thought to have been sent to a GP
had been received by a private householder
Giving out identifiable information about an individual over the
telephone
Loosing a laptop computer with personal information on it
Giving information to someone who should not have access to it –
verbally, in writing or electronically
Accessing a computer database using someone else’s authorisation
e.g. someone else’s user id and password
Trying to access a secure area using someone else’s swipe card or
pin number when not authorised to access that area
Finding your PC and/or programmes aren’t working correctly –
potentially because you may have a virus
Software malfunction
Sending a sensitive e-mail to ‘all staff’ by mistake
Finding an employees password written down on a ‘post-it’
Finding someone has tried to ‘break in’ to the office/building
3
How should this be reported?
3.1
All employees (contracted and non-contract) should be made aware
through their contract of employment, training and by their manager of
what is considered to be an incident.
3.2
They should be made aware that if they discover something that could
be considered as an incident they should report this to their manager
and complete a non-clinical risk incident reporting form (a copy of a
‘draft’ form is attached for this purpose at appendix 1).
3.3
This form should be copied to the Security Officer and the Caldicott
Guardian and a copy kept within the department.
3.4
The form, which should be numbered, should identify the following:


Date of discovery of incident
Place of incident
Dated April 2002 Version 2.0
Page 4 of 7
Incident Reporting Policy








Who discovered incident
Details of incident
Category/classification of incident
Report to senior management if risk to organisation and/or patient
care
Any action taken by person discovering incident at time of discovery
Date incident reporting form has been sent to the security officer
and/or Caldicott Guardian
Action taken by security officer and/or Caldicott Guardian/Group to
ensure incident does not occur again
Follow-up action to check no re-occurrence of incident
4
How should these be responded to?
4.1
Incident reporting forms should be sent to the security officer and the
Caldicott Guardian. If there is a Caldicott group or other group looking
at security and confidentiality issues the form should also be sent to
that group.
4.2
The Guardian and/or group should log the incident to enable a central
register to be maintained of all incidents occurring within the
organisation.
4.3
All registered incidents should be re-evaluated after a 6 month period
to ensure the type of incident is no longer being reported or the volume
of those types of incidents has dramatically reduced.
4.4
If there is no change in the volume of each type of incident the senior
management should be alerted and appropriate action taken. This
could be further training courses for staff or an improvement to existing
security and/or confidentiality arrangements.
4.5
Some incidents may involve the invoking of the Authority/Trust/Practice
Disciplinary Procedures. Incidents that are deemed to be a disciplinary
offence are detailed within the Disciplinary Procedures.
5
Follow up
5.1
Incidents should be used in training sessions about security and
confidentiality as using ‘real life events’ relevant to an organisation can
always be related to, by staff, a lot better than imaginary events. This
will give attendees an example of what could occur, how to respond to
such events and how to avoid them in the future.
Dated April 2002 Version 2.0
Page 5 of 7
Incident Reporting Policy
Appendix 1
DRAFT of a non-clinical risk incident reporting form
Non-clinical risk incident reporting form
Form number:
Details of incident
Place of discovery
Who discovered
Date of discovery
Action taken by discoverer
Reported to
Date
Category/classification
incident
of Please note:
Classifications to be agreed by health community – to
ensure consistency. Existing NHS classifications
seem too complex and non identified in BS7799 –
maybe check GAP analysis software
Date reported to senior
management
Date reported to Caldciott
Guardian
Date Incident form sent to
Security Officer
Action taken
management
by
senior
Action taken by Caldicott
Guardian
Action taken by Security
Officer
Follow-up
undertaken by
check
Date
Dated April 2002 Version 2.0
Page 6 of 7
Incident Reporting Policy
How to complete the form
Complete all sections of the form and send a copy to the relevant
Authority/Trust/Practice personnel.
The areas below are designed to assist with the completion of the form
What needs to be reported?
An incident is anything that happens to any type of information that should not occur
e.g. breach of confidentiality/breach of security. Some more common areas are
listed below but this list is not exhaustive and should be used as guidance. If there is
any doubt as to what you have found being an incident it is best to report it to the
relevant personnel for their decision – by completing the form.
Examples of incidents
Breach of security
Loss of computer equipment due to crime or an individual’s carelessness
Loss of computer media e.g. floppy disc, CD due to an individual’s carelessness
Accessing any part of a database using someone else’s authorisation either
fraudulently or by accident
Trying to access a secure part of the organisation using someone else’s PIN number,
swipe card
Finding the doors and/or windows have been broken and forced entry gained to a
secure room/building
Breach of confidentiality/security
Finding a computer printout with a header and a persons information on it at a
location outside of any Authority/Trust/Practice premises/building
Finding any paper records about a patient/member of staff or business of the
organisation in any location outside of the Authority/Trust/Practice premises/buildings
Being able to view patient records in the back (or front) of an employees car (e.g.
Doctors and Nurses)
Discussing patient or staff personal information with someone else in an open area
where the conversation can be overheard
A fax being received by the incorrect recipient
Dated April 2002 Version 2.0
Page 7 of 7