Managing Risk – No. 8

Managing Risk – No. 8

Introduction and comments

Information is valuable to primary care and the NHS as a whole as it allows us to treat and protect patients, as well as to design and provide them with the best possible services. It is important for practices to understand what information they hold, why they hold it and what safeguards are in place to protect the data. By doing so we can ensure that information is used in a secure and lawful manner to prevent information breaches, as well as keeping our patient’s trust.

This week we looked at information risk management and revisited the role of the Data Protection Officers (DPOs) and the reporting of breaches and serious incidents.

Review of action points from prior session

  • To do 22 Review your DPIA to see what technical and organisational measures are required for your Practice
  • To do 23 The list of contracts you have listed for Blog No. 5 will require an assessment of compliance against the Data Security and Protection Toolkit or against the questions asked within the template checklist. If the latter send letter and checklist template to provider/supplier to complete and follow the process outlined within the blog.
  • To do 24 Review information on the new Data Security & Protection Toolkit and sign up for Webex training sessions
  • To do 25 Log-in or register for the Data Security & Protection Toolkit to start completing your submission before 31 March 2019

Work covered this week

Information Risk Management

Information risk should not be treated differently to any other risk to the practice, whether it is financial or workforce risk. You will already have risk management processes set up. We need to check whether information risks have been recorded within your risk registers and that mitigating controls have been put in place.


Where will information risks arise prior to a breach happening?

From the activities noted in Blog No.2 – Information Asset and Data Flow Mapping and Blog No.3 – Data Protection Impact Assessments (DPIAs), we have added possible risks to the practice and / or have identified risks from the DPIAs undertaken.

You may also conduct a physical audit of the practice to test staff awareness and processes to establish whether there are any potential information risks or training needs. These activities will enable you to identify risks and also demonstrate good evidence for your Data Security and Protection Toolkit.

We have developed an information risk register. This lists the information risks we have identified at this practice and shows examples of the different types of risks. The Information Governance Staff Handbook should also be reviewed as this also details good practice for mitigating information risk to your Practice.


Data Protection Officer (DPO) in relation to GP Practices

To support the Information Risk Management process, there is a need to establish a structured framework and reporting mechanism. To meet the requirements of GDPR and the Data Security and Protection Toolkit, each Practice is required to appoint individuals to roles to support this framework and to deliver compliance.

GP Practices are considered Public Authorities under the provisions set out within schedule 1 Freedom of Information Act 2000. This is due to the processing of Personal Confidential data for the NHS. GDPR specifies that all Public Authorities are required to appoint a Data Protection Officer (DPO).

The activities of the DPO within General Practice are detailed within the Information Governance Alliance GDPR guidance note for GPs and also their GDPR: Guidance on the Data Protection Officer.

Primarily the DPO should deliver independent advice and monitor processing activities and practice. Due to the independent nature of the role, here are some activities the DPO can and can’t do:

It is a requirement for the DPO to monitor processing activities to ensure compliance with GDPR. The Practice is required to submit their DPIAs, Information Assets and Data Flow registers, risk registers and incident logs to the DPO on a regular basis so that the DPO can monitor compliance with the Data Protection legislation and prevent personal data breaches.

For the activities that the DPO cannot undertake, the Practice should ensure that there is a decision-making function and approval process in place. This is likely to be your Practice Caldicott Guardian.

As part of the Caldicott function, the Caldicott Guardian should be aware of processing activities, information risks to the Practice or any risks that would have any privacy implications to data subjects. The Caldicott Guardian can approve information sharing agreements, contracts and breach investigation reports. The Caldicott Guardian should be the Practice’s first point of contact on Information Governance/GDPR matters.

Your Practice’s DPO [Action point]

As you are aware NWL CCGs have appointed a single DPO as an interim measure to help meet this responsibility, until Practices decide on how they wish to provide this service themselves. This arrangement can only work in the short-term in conjunction with the provision of GDPR support through this blog and our ability to access subject matter expert opinion through an IG consultancy. This is a time-limited resource and one which will reduce after November 2018. Whilst further support will continue to be available, this will be limited. It is essential that practices understand that it is a legal requirement for them to appoint a DPO who will be able to provide the services outlined in this blog.

Practices may decide to provide a DPO themselves, or consider a shared role across a CCG or federation. We have reminded CCGs about the limited timescale for implementation of DPOs to cover their GP practices in 2019, and are canvassing them for further support. We encourage NWL primary care health care communities discuss this important issue at their CCG member meetings.

Information Governance Breaches and Serious Incidents

The Practice should ensure that robust mechanisms are in place for the reporting and monitoring of information breaches, whether they are serious or near misses. GDPR defines a breach:

Article 4(12) “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Here are some examples of breaches or near misses:

In the event of a personal data breach, the individual should follow the Practices Incident Reporting policy. The policy should include the reporting mechanism and roles the breach is reported to. The Practice should also follow NHS Digital’s Incident Reporting guidance.

The table below details the severity of breach which is required to be reported to the ICO or whether it can be dealt with locally. This is the reporting detailed within the new NHS Digital Incident Reporting guidance. It is a requirement that all Practices follow NHS Digital’s guidance on incident reporting.


The reporting mechanism is through the Practice’s Data Security and Protection Toolkit.

Reporting Structure:

GP Practices are required to report breaches through several mechanisms/bodies.

All levels of breach are required to be logged within the Serious Incident to the Strategic Executive Information System (StEIS) as a learning portal for the NHS, and at the Practice-level through incident report forms/logs. Subsequent risks should also be included within the information risk register. These will need to be provided to the DPO on a regular basis to assess whether the mitigating actions are effective, and the risk minimised.

Should a potential or actual breach occur, please consult the Caldicott Guardian and the DPO.

Resources Used

Output Documentation


Learning points

  • The earlier data flow mapping exercise and DPIA should provide much of the information required for information risk management.
  • Your practice must appoint a DPO.
  • Be aware of what your DPO can and can’t do and ensure your Caldicott Guardian is aware of their responsibilities.
  • NHS Digital has issued a guide on incident reporting which must be followed.
  • All levels of breach are required to be logged on StEIS and on Practice incident report forms/logs.


Practice checklist

  • To do 26 Check whether information risks have been recorded in your risk registers and that mitigating controls are in place. Look at your data flow mapping and DPIAs.
  • To do 27 Conduct a physical audit in your practice – test staff awareness and processes, to see if there are any potential information risks or training needs
  • To do 28 Review the example information risk register and update for your practice
  • To do 29 Review the Information Governance Staff Handbook to check you are following best practice, if not update your information risk register
  • To do 30 Discuss the future provision of a DPO for your practice (at a practice or CCG or Federation level) and if you have not done so already make arrangements to appoint one in 2019.
  • To do 31 Ensure you have decision-making function and approval process in place (Practice Caldicott Guardian)
  • To do 32 Make sure you have an incident reporting policy in place. The policy should include the reporting mechanism and roles the breach is reported to.
  • To do 33 Review the NHS Digital’s Incident Reporting guidance, and ensure you follow guidance.


Next session on 30.08.18

(Blog No. 9 due 04.09.18)

We will be looking at how we provide electronic access to patient records in routine circumstances and the issues around providing proxy access for children and patients who may lack capacity.


Comments are closed.