CCG FOI 605 – Breaches of Data Protection

Responded to: 14th June 2016

I am writing under the Freedom of Information Act 2000 to request details of breaches of the Data Protection Act within in your organisation; specifically I am asking for:

1a. Approximately how many members of staff do you have?  126

1b. Approximately how many contractors have routine access to your information?  13 (see www.suresite.net/foi.php for clarification of contractors if needed)

2a. Do you have an information security incident/event reporting policy /guidance/management document(s) that includes categorisation/classification of such incidents?  Serious Incidents Procedure

2b. Can you provide me with the information or document(s) referred to in 2a? (This can be an email attachment of the document(s), a link to the document(s) on your publicly facing web site or a ‘cut and paste’ of the relevant section of these document(s)) 

3a. Do you know how many data protection incidents your organisation has had since April 2011? (Incidents reported to the Information Commissioners Office (ICO) as a Data Protection Act (DPA) breach) Yes –  Only since 13th April 2013

3b. How many breaches occurred for each Financial Year the figures are available for?

  • FY11-12:  n/a
  • FY12-13:  n/a
  • FY13-14:   0
  • FY14-15:   0

4a. Do you know how many other information security incidents your organisation has had since April 2011? (A breach resulting in the loss of organisational information other than an incident reported to the ICO, eg compromise of sensitive contracts or encryption by malware)  Yes – Only since 13th April 2013. Total loss of information = 7

4b.How many incidents occurred for each Financial Year the figures are available for?

  • FY11-12:  n/a
  • FY12-13:  n/a
  • FY13-14:   4
  • FY14-15:   3

5a.       Do you know how many information security events/anomaly your organisation has had since April 2011? (Events where information loss did not occur but resources were assigned to investigate or recover, eg nuisance malware or locating misfiled documents.)  No Information held by contracted supplier.

5b. How many events occurred for each Financial Year the figures are available for?

  • FY11-12:   n/a
  • FY12-13:   n/a
  • FY13-14:   Not known as subcontracted  Greater Manchester Shared Service
  • FY14-15:   Not known as subcontracted Greater Manchester Shared Service

6a. Do you know how many information security near misses your organisation has had since April 2011? (Problems reported to the information security teams that indicate a possible technical, administrative or procedural issue.)  Yes Only since 13th April 2013 – Total Security near misses = 8

6b. How many near-misses occurred for each Financial Year the figures are available for?

  • FY11-12:  n/a
  • FY12-13:  n/a
  • FY13-14:  4
  • FY14-15:  4

NHS Stockport CCG has only been in existence since April 1st 2013 and therefore only holds information from this date to the present day. We are not in a position to provide information on former and now defunct organisations. If you wish to pursue this further you need to contact: england.foihub@nhs.net
The information supplied to you continues to be protected by the Copyright, Designs and Patents Act 1988.  You are free to use it for your own purposes, including any non-commercial research you are doing and for the purposes of news reporting.  Any other reuse, for example commercial publication, would require the permission of the copyright holder.  Most documents supplied by NHS Stockport Clinical Commissioning Group will have been produced by Government officials and will be Crown Copyright.