Cyber and data security incident plan

This plan provides guidance and information to enable Rotherham, Doncaster and South Humber NHS Foundation Trust to provide a response to a cyber or data security incident. It is intended to provide guidance to strategic level managers, for example, in trust gold command.

The General Data Protection Regulation (GDPR) as implemented by the UK Data Protection Act 2018 introduced a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority.

The Security of Network and Information Systems Directive (“NIS Directive”) also requires reporting of relevant incidents to the Department of Health and Social Care (DHSC) as the competent authority from 10 May 2018.

An organisation must notify a breach of personal data within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, organisations must also inform those individuals without undue delay. Those breaches that also fulfil the criteria of a NIS notifiable incident will be forwarded to the DHSC where the Secretary of State is the competent authority for the implementation of the NIS directive in the health and social care sector. The information commissioner remains the national regulatory authority for the NIS directive.

To download the policy please follow the link and find the policy under cyber and data security: Cyber and data security incident plan (staff access only) (opens in new window).

To access the equality impact assessment for this policy, please see the overarching equality impact assessment.

Page last reviewed: January 17, 2025
Next review due: January 17, 2026