Data Breach Response Policy
(for DVSP ltd trading under UK ME/CFS specialist clinic)
1. PurposeThis policy sets out the clinic’s procedures for identifying, reporting, managing, and responding to actual or suspected personal data breaches, in compliance with the UK GDPR and Data Protection Act 2018.
2. ScopeThis policy applies to all personal data processed by the clinic, including patient records, communications, and administrative data held within PKB, Smilenotes, Doxy.me, and any authorised devices or systems.
3. Definition of a Data BreachA personal data breach includes any incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, including but not limited to:
Loss or theft of a device containing patient data
Unauthorised access to clinical systems
Accidental disclosure of patient information
Cyberattacks or system compromise
Data corruption or loss of availability
4. Roles and Responsibilities
The Clinic Director is responsible for:
Leading the breach response
Assessing severity and risk
Liaising with regulators, insurers, and vendors
Notifying affected patients where required
Third-party vendors (e.g. PKB, Smilenotes, Doxy.me) are responsible for notifying the clinic of any breach affecting their systems under their data processing agreements.
5. Breach Identification and Immediate ActionsUpon identification or suspicion of a data breach:
The incident is reported immediately to the Clinic Director.
Access to affected systems is suspended or restricted where necessary.
Compromised credentials are changed immediately.
Devices are isolated from networks if malware or unauthorised access is suspected.
The incident is logged with date, time, and initial details.
6. Breach AssessmentThe Clinic Director will assess:
The nature and scope of the breach
The type and volume of data involved
The number of individuals affected
The potential impact on patients (e.g. identity theft, confidentiality harm)
Whether the breach is likely to result in a risk to the rights and freedoms of individuals
7. Notification and Reporting
Where a breach is likely to result in a risk to individuals’ rights and freedoms, the Information Commissioner’s Office (ICO) will be notified within 72 hours of awareness.
Where there is a high risk to individuals, affected patients will be informed without undue delay in clear, plain language.
Professional indemnity insurers will be notified in accordance with policy terms.
Third-party vendors will be engaged where the breach involves their systems.
8. Containment and Remediation
Steps will be taken to contain the breach and prevent recurrence.
Technical fixes, password resets, or system changes will be implemented as required.
Affected patients will be offered appropriate support and guidance.
9. Documentation and Review
All breaches and near misses will be fully documented.
A post-incident review will be conducted to identify root causes and improvement actions.
Policies and technical controls will be updated where necessary.
10. Training and Awareness
The Clinic Director maintains awareness of data protection obligations and breach response procedures.
This policy is reviewed annually or following any data breach.