Guidance on reporting a data security incident in accordance with the General Data Protection Regulation and The Security of Network and Information Systems Directive.
The Data Security and Protection Toolkit includes a tool for reporting data security incidents to the Information Commissioner's Office, the Department of Health and Social Care and NHS England.
Organisations must notify a breach of personal data within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, organisations must also inform those individuals without undue delay.
If you require immediate advice and guidance related to a cyber security incident, please contact the NHS Digital Data Security Centre on: 0300 303 5222.
Further guidance on the legal mandate, what constitutes a breach and examples is available.
