/
Incident Management

Patients Know Best Resource Hub | Deploy | Developer | Trust Centre | Manual | Research | Education | Release Notes

Incident Management

Summary

This document outlines Patients Know Best’s procedures for detecting, managing, and resolving incidents to minimise risks, protect patient data, and ensure service continuity. It covers reporting and investigating non-clinical incidents, information security vulnerabilities, and data breaches while ensuring compliance with GDPR and the UK Data Protection Act 2018. The plan emphasises prompt incident detection, triage, mitigation, and resolution through defined roles and clear processes. It aims to establish root causes, implement corrective actions, and foster continuous improvement. All incidents are subject to monitoring, reporting, and periodic review to uphold legal, operational, and organisational integrity.

1. Purpose

This document outlines the procedures for detecting, managing, and resolving incidents that may affect Patients Know Best (PKB). The goal is to ensure incidents are handled promptly, reducing risks to patient data and service disruption, and to ensure continuous improvement across all operational areas.

Occasionally things will go wrong and when they do, Patients Know Best is committed to rapidly responding to them, this document covers the process for the reporting and investigation of non clinical incidents, information security weaknesses and vulnerabilities together with the process for analysis and improvement.  We aim to establish the causes of incidents, make sure lessons are learnt, enable appropriate actions are taken and suitable improvements are made to minimise any further recurrence.

The implementation of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) requires organisations to report certain types of incidents to NHS Digital, the Department of Health and Social Care (DHSC) and the Information Commissioners’ Office (ICO) (the supervisory authority).

It is a legal obligation to notify the ICO of personal data breaches of the legislation within 72 hours where there is a ‘high risk to the rights and freedoms of individuals’.  The legislation also makes it a legal obligation to communicate the breach to those individuals affected without undue delay when it is likely to result in a high risk to individuals rights.

If you have an incident to report please contact our Incident Response Group (IRG) contact us.

2. Scope

This procedure applies to all PKB staff, contractors, and relevant third-party service providers involved in incident detection, reporting, and management. It covers:

  • Information Governance (IG), Clinical, and Security risks managed by the Incident Response Group (IRG).

  • Operational incidents, including system outages, performance issues, and infrastructure disruptions managed by the Engineering team.

Activation of Contingency Plans.

If an incident results in the total loss of a critical system or the primary production environment, and the Incident RTO cannot be met with standard procedures, the Incident Coordinator, in consultation with the CTO, will formally activate the Disaster Recovery Plan

3. Definitions

Information Security Vulnerability: A vulnerability in an information system, information system security procedures, or administrative controls that could be exploited to gain unauthorised access to information or to disrupt critical processing.

Information Security Incident: A suspected, attempted, successful, or imminent threat of unauthorised access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of information security policy.

Information Security Event: An occurrence or change in the normal behaviour of systems, networks or services that may impact security and organisational operations (e.g., possible compromise of policies or failure of controls).

Information Governance Incident: An event involving non-compliance with legal, regulatory, or organisational policies governing data protection and confidentiality. Examples include failure to safeguard sensitive information, mishandling of personal data, or breaches of GDPR requirements.

Clinical Incident: An event that poses a risk to patient safety, clinical outcomes, or the quality of care, often related to errors in data integrity, delays in information access, or system failures that affect clinical decision-making. Examples include incorrect patient data, delayed access to critical records, or miscommunication of clinical information.

4. Roles and Responsibilities

The following roles are responsible for managing incidents at PKB:

First Responder: Acknowledges the incident, initiates triage, and informs the relevant teams.

Incident Coordinator (IC): Oversees the resolution of the incident, ensures communication, and manages escalation.

Scribe: Documents all stages of the incident, including actions taken, lessons learned, and root cause analysis.

Clinical Lead: Evaluates the clinical impact of incidents, including risks to patient safety and care quality.

Communication Lead: Coordinates all internal and external communication regarding the incident. Works with the Incident Coordinator and other stakeholders to create and execute a communications plan that communicates the incident to users, the public, and others affected.

Information Governance Lead: Ensures compliance with data protection regulations and breach notifications.

Support Lead: Monitors and communicates the impact on patients and users.

Technical Lead: Manages system and operational issues, including outages and service degradation.

 

5. Policy

This policy requires that all users report any perceived or actual information security vulnerability or incident as soon as possible but no later than 24 hours, using the contact mechanisms prescribed in this document. In addition, Patients Know Best employ automated scanning and reporting mechanisms that can be used to identify possible information security vulnerabilities and incidents.

  • If a vulnerability is identified, it will be resolved within the period of time outlined in this policy, based on its severity.

  • If an incident is identified, it will be investigated within the period of time outlined in this policy, based on its severity.

If an incident is confirmed as a breach, PKB will take all necessary steps to resolve the incident and recover information systems, data, and connectivity. Incident response procedures will be followed to contain, investigate, resolve, and communicate information to employees, customers, partners and other stakeholders and all technical steps taken during an incident will be documented.

Information and artifacts associated with incidents (including but not limited to files, logs, and screen captures) will be preserved appropriately in the event that they need to be used for further investigation to determine if any malicious activity has taken place. The collection of evidence will be managed by appropriate staff members with proper understanding and training in forensic evidence collection. All such information will be preserved and provided to law enforcement if the incident is determined to be malicious.

Incident Lifecycle

Detection and Reporting

Incidents include:

  • Personal Data breaches of the UK GDPR reported to the Information Commissioner

  • The Security of Network Information Systems incidents reported to the Department of Health, Social Care and Cyber Security

  • Incidents reported to NHS Digital and High Severity Service

  • Incidents relating to Online and Video Consultation Software reported to the NHS Digital Service Bridge

Incidents can be detected through:

  • IG, Clinical, and Security incidents: These are reported via internal monitoring systems, staff reports, or patient complaints.

  • Operational incidents: These include system monitoring tools, infrastructure alerts, and customer-reported issues.

All incidents must be reported through internal tools. Each report should include:

  • Date/time of detection.

  • Affected system or service.

  • Description of the issue and its potential impact.

Where incidents occur out of hours, we have arrangements in place to ensure Directors or other nominated individuals are informed of the incident and take action to inform and involve the appropriate staff.

Triage and Severity Assessment

All incidents are assessed for the risk, severity, scale and sensitivity of the incident based on all information known at the time. The IRG will reference the NHS Digital Guide to the Notification of Data Security and Protection Incidents as part of this assessment. The most recent version of this document can be found here

Upon reporting, the Incident Coordinator leads the triage process, assigning severity based on the following criteria:

Severity Level

Impact

Urgency

Escalation Time (incident escalated to Senior Management)

Severity Level

Impact

Urgency

Escalation Time (incident escalated to Senior Management)

4 - Critical

Total system outage, severe patient safety risk, or large-scale data breach.

Immediate response required.

Escalate within 4 hours.

3 - High

Significant service impact or moderate patient/data safety risk.

Urgent response required.

Escalate within 8 hours.

2 - Medium

Moderate service impact, performance issues, or minor patient/data impact.

Response within business hours.

Escalate within 24 hours.

1 - Low

Minor service impact or low-risk issues without patient or data implications.

Scheduled response within 48 hours.

Escalate within 48 hours.

Breach Assessment 

Where the incident is assessed that it is (at least) likely that some harm has occurred and that the impact is (at least) minor, the incident is reportable and full details will be automatically emailed to the ICO and the NHS Digital Data Security Centre. The DHSC will also be notified where it is (at least) likely that harm has occurred and the impact is at least serious.

Severity

(Impact)

 

Catastrophic

5

5

10

15

20

DHSC & ICO (24 hours)

25

Serious

4

4

8

12

16

 

20

 

Adverse

 

3

 

3

 

6

 

9

 

12

 

ICO

 

15

Minor

2

2

4

6

8

10

No Adverse Effect

1

1

2

3

4

5

 

 

1

2

3

4

5

 

 

Not Occurred

Not Likely

Likely

Highly Likely

Occurred

Likelihood that individuals rights have been affected (harm)

This operates on a 5 x 5 basis with anything other than “grey breaches” being reportable. Incidents where the grading results are in the red are advised to notify within 24 hours.

The Incident Coordinator ensures both the Technical Lead and IG Lead assess the relevant aspects of the incident (operational or data-related).

Containment and Mitigation

Depending on the incident type:

  • For IG, Clinical, and Security incidents: The IRG team takes immediate steps to secure unauthorised access, initiate data recovery, and preserve evidence.

  • For Operational incidents: The Technical Lead and Engineering team isolate the affected systems and restore services.

The Incident Coordinator coordinates between teams to ensure that appropriate actions are taken swiftly.

Resolution

The resolution process involves:

  • Mitigation: Reducing the impact of the incident by restoring affected systems and protecting the integrity of data.

  • Communication: Ensuring all stakeholders are updated throughout the incident via internal tools and status pages for operational incidents.

Once resolved, the incident moves to postmortem review.

Communication

The Communication Lead, working with the Incident Coordinator, ensures that:

  • Internal communications: Updates are provided regularly via internal tools to keep teams informed.

  • Customer-facing communications: Notifications for data breaches are sent to regulatory bodies and individuals when necessary. Affected customers are kept informed of progress.

The engineering team ensures that updates for operational incidents are shared on PKB’s status page.

Postmortem and Continuous Improvement

After the resolution, a postmortem review is conducted to analyse:

  • Root cause analysis: Identifying the underlying cause of the incident and areas for improvement.

  • What worked well and what could be improved.

  • Action items: Preventative measures to reduce the risk of recurrence.

The Scribe ensures all documentation is completed, and tracks any follow-up actions.

Closure

Once all postmortem actions are completed and verified, the incident is closed. The Incident Coordinator ensures all steps have been documented in the tracking system, and lessons learned are shared with relevant teams.

Confidentiality and Data Protection

All incidents involving personal data breaches must be reported in compliance with PKB’s Information Security and Data Protection Policy and the UK General Data Protection Regulation (UK GDPR). The IG Lead is responsible for ensuring compliance with legal and contractual obligations, including notifying regulators if necessary.

6. Monitoring and Enforcement

The processes surrounding incident response in Patients Know Best are periodically reviewed and evaluated for effectiveness. This involves appropriate training of resources expected to respond to incidents, as well as the training of all staff regarding Patients Know Best's expectation for them, relative to incident reporting responsibilities. Failure to report information security incidents shall be considered to be a security violation and will be reported to Human Resources/People for disciplinary action.

The incident response plan is reviewed annually.

Revision History

Version

Date

Description

Version

Date

Description

2.2

13/05/2026

Public version created.