Data Breaches - FOI Response Register

1. The total number of data protection breaches that have occurred during each year since 2018.

See attached spreadsheet

Notes:

• We have interpreted your question to refer to personal data breaches as defined by Article 4(12) of the UK General Data Protection Regulation (UK-GDPR): “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. This includes both patient and staff personal data.
• Figures provided only include incidents in which NHS Shetland was the sole or joint data controller.
• Since the advent of the GDPR and Data Protection Act 2018 (DPA 2018), NHS Shetland has carried out extensive work in training / raising awareness of data protection issues as well as improvements to the categorisation of data incidents on our adverse event reporting system, leading to both an increase in numbers of incidents reported and those categorised as data incidents.

2. For each breach reported, please provide (a) the year of the breach, (b) if possible, the department involved, (c) if possible, the number of individuals affected.

See attached spreadsheet. Note that estimates are given for incidents in which the exact number of individuals potentially affected cannot be determined.

3. Please provide information on whether any serious data breaches (as defined under GDPR) have failed to be reported to the Information Commissioner’s Office (ICO) within the legally required 72-hour period and the year of the breach.

Since the advent of GDPR, there have been 19 times in which the 72 hour deadline was not met. In all case, the reasons for the delay were provided to, and accepted by, the ICO with no further action resulting from the delay.