Data Breaches - FOI Response Register

FoI Number
2024-045
Subject
Data Breaches
Date Received
18/04/2024
Request and Response
  1. Please state how many data breaches there have been in the health board over the last five years (2019-20, 2020-21, 2021-22, 2022-23 and 2023-24)

With regards to 2019 to 4 May 2023 and in accordance with FOISAs 16(1), NHS Shetland confirms that it holds the information requested but that it is exempt from disclosure under FOISA s 25(1) as the information requested is accessible without submitting a request under FOISA s 1(1). The information you have requested is available here:

https://www.nhsshetland.scot/directory-record/1890/data-breaches

NHS Shetland has made it easier for you to search previous FOI requests/responses. We would be grateful if you could check the register and other published sources before submitting a request to see if the information you need has already been published. This will save both time and public resources:

https://www.nhsshetland.scot/directory/2/-foi-response-register

In the period between 4 May 2023 and 31 March 2024 there were 34 incidents.

Notes:

  • We have interpreted your question to refer to personal data breaches as defined by Article 4(12) of the UK General Data Protection Regulation (UK-GDPR): “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
  • This figure only includes incidents (not near misses) for which NHS Shetland was the sole or joint data controller. While we do record incidents for which NHS Shetland is not the data controller (for instance, if patient information is erroneously sent to NHS Shetland by another health board / data controller) we have not included these incidents as NHS Shetland has no responsibility for them
  1. How many of these breaches related to patients receiving the incorrect information, diagnosis, or the information of another patient? Where this happened, please state which kind of information was shared.

Please provide the nature of the breaches in as much detail as possible.

Incident type

Identifiers only

Special category data

Alteration of / error in personal data

0

3

Data posted/faxed/handed to incorrect recipient

1

7

Due to the risk of identifying individuals, this is extent of the detail we can provide