Introduction

BrisDoc is committed to protecting the personal data of all individuals we work with, including patients, staff, and partners. Despite robust controls, there may be occasions where a data breach occurs.

This procedure sets out how to identify, report, assess, and respond to personal data breaches. Prompt action helps to minimise harm, meet our legal obligations under UK GDPR and the Data Protection Act 2018, and maintain trust in our services.

A data breach refers to any incident where personal data is accidentally or unlawfully:

• Lost or destroyed
• Disclosed to someone without authorisation
• Altered without permission
• Accessed by unauthorised individuals
• Examples of incidents that must be reported include:
• Loss or theft of personal data (e.g. paper files, laptops, USBs)
• Sending personal data to the wrong recipient
• Unauthorised sharing or access to personal information
• Corruption or unauthorised changes to personal records

All suspected or actual breaches must be reported immediately – or as soon as possible – to the Caldicott Guardian and/or Information Governance (IG) Lead.

Once notified, the following actions will take place:

• The Board of Directors and Data Protection Officer (DPO) will be informed.
• The breach will be assessed to determine its severity and potential impact on individuals.
• A decision will be made on whether the affected individuals and the Information Commissioner’s Office (ICO) need to be notified.
• If required, affected individuals will be informed without delay.
• All decisions and actions will be recorded in the Data Breach Register.

We have a legal duty to report certain breaches to the ICO within 72 hours of becoming aware of them. Therefore, it is essential that all staff act promptly and always follow this procedure, including weekends and bank holidays.