A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
The Data Protection Act 2018 (DPA 2018) [1] and the UK General Data Protection Regulations (UK GDPR) [2] introduce a duty on all organisations to report certain types of data breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it. These are breaches that are likely to result in a risk to the rights and freedoms of individuals i.e. the breach could lead to discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. If it is judged that the breach is likely to result in a high risk to the individual’s rights and freedoms, the individual must also be notified without undue delay. In Dental Practice a breach of confidentiality is an example of something that will be notifiable to the ICO. You may find it helpful to discuss a breach with your indemnity organisation prior to notifying the ICO.
Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Ensure that you have procedures in place to detect, report and investigate a personal data breach.
If you discover a data breach which is likely to result in a risk to the rights and freedoms of individuals, report this to the ICO within 72 hours.
- If it is judged that the breach is likely to result in a high risk to the individual’s rights and freedoms (e.g. identity theft or breach of confidentiality), notify the individual without undue delay.
If you use an external data processor, ensure that they will report any data breach to you as soon as they become aware of it – you are then responsible for reporting the breach to the ICO within 72 hours.