If you are required to report a breach, you should report it immediately. The HSE must report breaches to the Data Protection Commission within 72 hours of a notifiable personal data breach. This is done through the DDPO offices, following consultation with the local service where the breach occurred.
What is a personal data breach?
A personal data breach is the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data.
The term ‘personal data’ means any information relating to an identified or identifiable living individual.
Reporting a data breach
Report a known or suspected data breach to your line manager and local deputy data protection officer (DDPO).
Your line manager will help you identify if the incident is a potential data protection breach. You should work together to complete the Data Breach Incident Report form. Send the form to your local deputy data protection officer (DDPO).
For an information systems security breach, call the National Service Desk on 0818 300 300
The DDPO will confirm if the incident is a data breach. Data breaches are logged and the DDPO will advise on the necessary remedial actions to take.
Individuals impacted by the breach may need to be notified, if it is likely to result in a high risk to their rights and freedoms.
Common examples of personal data breaches across HSE in 2021
The majority of personal data breaches in 2021 were due to reoccurring issues as follows:
- data quality and accuracy issues, where service user contact information is not maintained.
- issues with paper files, where appointment letters were wrongly issued to incorrect address
- emails sent to the wrong person when the incorrect email address recipient was selected and the email was sent in error.
When collecting a data subject’s information manually, always confirm you have the correct information recorded.
Where data is collected digitally, you should ensure data validation controls are in place to confirm you have the correct information.
Letters and paper files
A letter sent to the wrong address is an example of a commonly-occurring personal data breach.
Files should not be taken out of the office unless it has been approved by your line manager as they can easily be misplaced.
It is very easy to send an email to the incorrect person(s). For example:
- selecting the incorrect email recipient
- misspelling the intended recipient’s address
- using the ‘cc’ function in error instead of ‘bcc’
Before you send emails containing sensitive data:
- take your time
- double check you have selected the correct recipient
- use bcc where required.