PML Data Security Investigation Process





The purpose of this document is to define the procedure in the event of a Data Security Breach and subsequent investigation across the organisation to minimise the risks associated with any data breaches. It also outlines the actions that should be taken in the event of a breach to ensure data is secure and to prevent further breaches occurring.

PML must notify a breach of personal or sensitive data to The Information Commissioner (ICO) within 72 hours of PML becoming aware of the breach (the actual incident may have occurred days, weeks or months earlier) if it is likely to result in a high risk to the rights and freedoms of individuals. We must also inform those individuals without undue delay.

A health record file

We are not expected to have fully investigated incidents within 72 hours of a breach awareness and utilisation of the tools on the ICO or DPST websites provide guidance on when to report.

Following PML’s internal reporting and investigation process will facilitate a thorough investigation and inform outcomes and learning.


What is a breach and personal data

A data breach is defined as:

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Personal data is defined as:

‘Any information relating to an identified or identifiable living individual’

Types of breaches

The three types of breaches as defined in the Article 29 Working Party on Personal data breach notification are Confidentiality, Integrity or Availability (CIA).

  • Confidentiality breach: unauthorised or accidental disclosure of, or access to personal data
  • Availability breach: unauthorised or accidental loss of access to, or destruction of, personal data
  • Integrity breach: unauthorised or accidental alteration of personal data

When is an incident reportable under GDPR?

Incidents are graded according to the impact on the individual or groups of individuals and not PML.

Incidents are reviewed by the Data Protection Officer and/or Caldicott Guardian or the Senior Information Risk Owner when determining what the significance and likelihood of a data breach will be.

The DPO serves as a point of contact between PML and the ICO and guides PML around its responsibilities as ‘controller’ or ‘processor’ of the personal data of staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.

Depending on the risk level or outcome of the investigation, reporting to the ICO and affected individuals will be determined.

There are a limited number of circumstances where, even when an organisation is aware of a breach of personal data, there may be containment actions that will remove the need for notification to the ICO but they may still need to be recorded as a near miss.

Staff in doubt about whether they need to report an incident should refer to their line manager and all managers should refer to PML’s Incident Reporting Procedure for guidance or escalate to the SIRO/DPO.



This policy applies to all staff across PML including employed staff, temporary or casual workers, consultants, locums, agency staff, suppliers, contractors or any other data processors who are accessing, storing or processing data on the behalf of PML.



It is the duty of the person that identified the breach or potential breach to ensure the correct reporting procedure is followed and inform their line manager or their delegate if not available, who will deal with the immediate needs of the incident.



All incidents must be reported within 48 hours via the incident reporting mechanism via the intranet.

Serious Incidents must be reported immediately to the DPO or On Call Director. (in hours 01295 981166; out of hours 07786 911526)

All staff involved to complete a separate form without conferring and should refer to PML’s Incident reporting Policy found on the PML Intranet or Teamnet.

All incidents reported using the correct forms/procedure will be submitted as agenda items for review at the next Operational/Clinical meeting and report outcome to the Governance Group or Senior Management Group.



Feedback will be shared with staff via line management following the results of incidents, without sharing any individual data, to inform any changes in procedure that need to be implemented and to avoid similar breaches happening again.

PML also produces an annual incident report which is reviewed by Governance Group and shared with Senior Management Group to ensure that any remedial action has been taken and assure the PML Board appropriate systems are in place.



This policy will be reviewed on a three yearly basis or through change of legislation.

Reviewed July 2021. Approved by Senior Management Group (July 2021)