Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, whether a standardised definition of an information governance breach applies across all NHS trusts and Integrated Care Boards in relation to the Federated Data Platform (FDP); what criteria are used to classify breaches as serious or major; and who is responsible for determining that classification.

The Information Governance Framework for the NHS Federated Data Platform (NHS FDP) is published at the following link:

https://www.england.nhs.uk/long-read/federated-data-platform-information-governance-framework/

Data breaches are determined in line with the guidance from the Information Commissioner’s Office. In the event of an actual or suspected security breach or data loss incident (incident) in any instance of the NHS FDP or NHS Privacy Enhancing Technology (NHS-PET), any party who becomes aware of the incident will notify NHS England.

In the case of the platform contractor, such a notification will be made in accordance with its obligations under clause 20, which is regarding authority data and security requirements, clause 23, regarding protection of personal data, and/or Schedule 2.4, regarding security management, of the agreement, as well as clause 6 of the FDP Data Processing Agreement. In addition, in the case of the NHS-PET Contractor, such a notification will be made in accordance with its obligations under clause 17, regarding protection of personal data, Schedule 3, regarding cyber security and information governance, of the Contract, and/or clause 6 of the NHS-PET Data Processing Agreement.

The NHS FDP contractor will notify NHS England of all incidents. The NHS FDP Contractor and user organisations will co-operate with NHS England’s service bridge, cyber, security, data protection, and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the NHS FDP Incident Management Protocol.

The relevant controller will report any personal data breach to the Information Commissioner’s Office in line with its responsibilities under UK General Data Protection Regulation.

NHS England and the NHS FDP contractors will co-operate with the local NHS FDP user organisation’s cyber, security, data protection, and incident management teams in the investigation, management, mitigation, rectification, restoration, and resolution of the incident in accordance with the NHS FDP Incident Management Protocol.

Brief details of all personal data breaches, including their root cause, will be reported by NHS England, the NHS FDP contractor, or the local NHS FDP user organisation, depending on who the controller and processor is in relation to the personal data breach, to the Data Governance Group. Each party will co-operate with the other impacted parties in the production of the reports.