- FoI Number
- 2023-068
- Subject
- Data Breaches
- Date Received
- 04/05/2023
- Request and Response
-
1. In 2023, on how many occasions so far have GDPR rules been breached by this health board? Please also provide data for each calendar year since 2018.
For data from 2018 to 30 August 2022, and in accordance with FOISA s 16(1), NHS Shetland confirms that it holds the information requested but that it is exempt from disclosure under FOISA s 25(1) as the information requested is accessible without submitting a request under FOISA s 1(1). The information you have requested is available here:
https://www.nhsshetland.scot/downloads/file/686/2022-335
https://www.nhsshetland.scot/downloads/file/704/2022-356
NHS Shetland has made it easier for you to search previous FOI requests/responses. We would be grateful if you could check the register and other published sources before submitting a request to see if the information you need has already been published. This will save both time and public resources:
https://www.nhsshetland.scot/directory/2/-foi-response-register
For data from 31 August to 4 May 2023, please see the tables below.
31 August 2022 to 31 December 2022
Incident type
Count
Reported to ICO
Alteration of / error in personal data
2
0
Data emailed/texted to the wrong recipient
3
0
Data posted/faxed/handed to incorrect recipient
1
0
Hardware/software misconfiguration
2
0
Loss/theft of paperwork/data or paperwork/data left in unsecure location
1
0
Other non-cyber incident
1
0
Verbal disclosure of personal data
1
0
Grand Total
11
0
2023 to 4 May
Incident type
Count
Reported to ICO
Data emailed/texted to the wrong recipient
2
0
Data posted/faxed/handed to incorrect recipient
2
1
Loss/theft of paperwork/data or paperwork/data left in unsecure location
3
0
Other non-cyber incident
2
0
Verbal disclosure of personal data
2
0
Grand Total
11
0
Notes:
- We have interpreted your question to refer to personal data breaches as defined by Article 4(12) of the UK General Data Protection Regulation (UK-GDPR): “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
- The figures in the table above only include incidents for which NHS Shetland was the sole or joint data controller. While we do record incidents for which NHS Shetland is not the data controller (for instance, if patient information is erroneously sent to NHS Shetland by another health board / data controller) we have not included these incidents as NHS Shetland has no responsibility for them.
- Since the advent of the GDPR and Data Protection Act 2018 (DPA 2018), NHS Shetland has carried out extensive work in training / raising awareness of data protection issues as well as improvements to the categorisation of data incidents on our adverse event reporting system, leading to an increase in numbers of incidents reported and categorised as data incidents.
- NHS Shetland records and investigates all data breaches reported through our adverse event reporting system, regardless of severity. As part of the investigation process, and in accordance with our duties under the UK-GDPR, we assess whether each incident is likely to result in harm to the rights and freedoms of the data subject(s) involved. If this is assessed to be the case, we self-report the breach to the Information Commissioner’s Office (ICO).
In all the incidents reported to the ICO to date and for which the ICO has issued a decision notice, the ICO has determined that no further action was necessary.
- NHS Shetland categorises incidents using same types as the ICO in their reporting.
2. In relation to question 1, could you group these breaches into categories? E.g. Sent patient data to wrong individual etc.
See question 1 above
