Provide Group Incident Reporting and Management Policy
Incorporating the NHS Patient Safety Incident Response Framework Incorporating IG/IT provisions of ISO27001:2022 standard
Version: V1
Ratified by:
Group Quality & Safety Committee
Date ratified: 11/02/2025
Job Title of author:
Policy shared with for review and comment
Director Nursing & Allied Health Professions
Provide Chief Officers via SLT meeting
Quality and Safety Team
Head of Health, Safety and Compliance
Head of Information Governance & Group Data Protection Officer
Managing Director Provide Care Solutions Ltd
Director Operations Provide Care Solutions Ltd
Operations Director Provide Wellbeing Ltd
Reviewed by Committee or Expert Group Group Quality & Safety Committee
Equality Impact Assessed by:
Related procedural documents
Director Nursing & Allied Health Professions
HRPOL01 Freedom to Speak Up (Whistleblowing) Policy
QSPOL03 Duty of Candour Policy
QSPOL09 Risk Management Policy
QSGUI01 Guidance on writing a witness statement as part of a Serious Incident Investigation
IGPOL62 Information Governance Policy
Review date: February 2026
It is the responsibility of users to ensure that you are using the most up to date document template – i.e. obtained via the intranet
In developing/reviewing this policy Provide Community has had regard to the principles of the NHS Constitution.
Version Control Sheet
Version Date
V1
September 2024
Author Status Comment
Director Nursing & Allied Health Professions
Ratified This policy replaces the Provide Group All Incident reporting (including Serious Incident Reporting) & Management Policy V9 and QSPOL15 Patient Safety Incident Response Framework
IG/IT provisions align with the requirements of ISO27001:2022 standard
1. Introduction
Provide Group is committed to ensuring care delivery is of the highest quality and that its services are safe and effective, with the safety of all staff, patients, service users and visitors being a top priority. Within the Provide Group safety is everyone’s business.
A key function of developing and maintaining safe, high quality and effective services is to ensure incidents and near misses are reported and acted on in a timely manner and oversight of incident themes and trends is used to inform quality and safety improvement initiatives.
The Provide Group approach to incident management encompasses:
• Compassionate engagement and involvement of those affected by incidents.
• Openness and honesty being at the heart of our incident response
• Considered and proportionate responses to incidents and safety issues.
• Proactive as well as reactive review of incidents to promote safety and quality
• A safety culture which encourages staff to report and speak up about incidents and near misses
2. Purpose
This policy sets out the Provide Group arrangements for the reporting and management of all incidents including near misses to ensure incidents are reported, reviewed and investigated appropriately and in a timely manner, so that lessons are learnt and quality and safety is maintained and improved This policy Replaces Provide Group “All Incident reporting (including Serious Incident Reporting) & Management Policy V9 and Provide QSPOL15 Patient Safety Incident Response Policy as this policy is aligned to the NHS Patient Safety Incident Response Framework (PSIRF) and the principles of PSIRF have been used to inform the overall approach to the management of safety events across all Health and Social Care services within the Provide Group
3. Safety Culture
3.1.
Just Culture
Provide Group promotes a “Just culture” which supports a culture of fairness, openness and learning where staff can feel confident to speak up when things go wrong, rather than fearing blame. This enables a healthy learning culture where staff feel safe to report incidents and near misses and actively contribute to investigations and embedding learning to improve safety and quality.
In a just culture inadvertent human error, freely admitted, is not normally subject to sanction and investigations principally attempt to understand why failings occurred and how the system led to sub-optimal practice. However a just culture also holds people appropriately to account where there is evidence of harm arising from deliberate acts or gross negligence
3.2.
Freedom To Speak Up (Whistleblowing)
Across the Provide Group staff have the Freedom to speak up (whistle-blow) if they are concerned about quality or safety in the organisation. Freedom to Speak Up (FTSU) is about encouraging a positive culture where people feel they can speak up
and their voices will be heard, and their suggestions acted upon. Speaking up is about anything that gets in the way of providing good care.
For more information refer to HRPOL01 Freedom to Speak Up (Whistleblowing) Provide Group Policy
4. Duty of Candour
Provide is committed to supporting families and staff when things go wrong and understands the importance of being transparent in admitting mistakes and learning from them to improve the services being delivered.
The Duty of Candour applies to every health and social care provider that the CQC regulates. The statutory duty of candour is a general duty for providers of Health and Social care services to be open and transparent with people receiving care from them. The Professional Duty of Candour requires Health and Social Care professionals to act in an open and transparent way with people receiving care or treatment from them.
The Duty of Candour must be applied when a notifiable safety incident occurs. A notifiable safety incident is one which must meet all 3 of the following criteria
• It must have been unintended or unexpected.
• It must have occurred during the provision of an activity we regulate.
• In the reasonable opinion of a healthcare professional, already has, or might, result in death, or severe or moderate harm to the person receiving care.
If any of these three criteria are not met, it is not a notifiable safety incident (but remember that the overarching duty of candour, to be open and transparent, always applies).
For more information refer to QSPOL03 Duty of Candour Provide Group Policy
5. Informing, Involving and Engaging
It is important that all those affected by an incident receive appropriate support to manage the impact of the events ensuring any clinical, psychological or safety needs they may have as a result of the incident are addressed promptly
While we cannot change what has happened a caring and compassionate response is in our gift and it is an important first step in responding to any incident it is essential that an early explanation is provided about what has happened along with an initial apology in line with the Duty of Candour requirements It is also a priority to ensure that the people affected are given the opportunity to talk about their experience and to ask questions so that their needs can be met and their insights and questions can inform the investigation and learning from the incident.
When an incident occurs the staff on duty and service manager responsible for the service where the incident happened are best placed to ensure that the person/people affected (or where appropriate, their advocate, carer or family) are informed about the incident that has occurred and are offered an apology as appropriate along with agreeing a plan to ensure appropriate on-going care and support is provided.
Appropriate support should also be provided to the staff involved in any incident, ensuring they are treated with respect and compassion and they are involved in the
process of exploring what happened using their lived experience and hearing their perspectives on how systems or practice can be improved as part of the learning process. A debrief following the incident to allow staff time to speak and reflect about the incident is a useful process that managers should consider as part of their initial response to supporting staff following an incident.
Where an incident is designated serious enough to warrant a full investigation to identify the learning, the Director responsible for the service should appoint an appropriate person to engage with the people affected by and involved in the incident
The level of involvement and engagement should be proportionate to the type of incident that has occurred and the level of harm that resulted and should be tailored to the needs of the people involved. The guide below provides an example of the engagement and involvement process to support people involved in a safety event
Staff on duty:
• Inform the service user immediately about the Incident and offer an apology and explanation
• Inform their family /carer according to service user wishes
• Agree with service user and their family/carer as appropriate a plan of care to address any actual/potential harm
• Update the service user and their family /carer as appropriate about what is being done to prevent a recurrence/learn from the incident
Staff on duty:
• Inform the service user immediately about the Incident and offer an apology and explanation
• Inform their family /carer according to service user wishes
• Agree with service user and their family/carer as appropriate a plan of care to address any actual/potential harm
Service Manager:
• Contacts service user and their family/carer as appropriate
• Offers a meaningful apology
• Explores support needs and agrees plan to address these
• Answers questions and explores their perspective of care issues that may have contributed to the incident
• Explain how the incident will be reviewed to identify what can be learned so that improvements can be made
• Agrees what further contact (if required) will happen
• Where harm as a result of care or service delivery is identified a written duty of candour letter is completed
Service Director appoints an appropriate senior manager to undertake engagement
Designated senior manager:
• Contacts service user and/or their family/carer as appropriate
• Offers a meaningful apology
• Explores support needs and agrees plan to address these
• Answers questions and explores their perspective of care issues that may have contributed to the incident
• Explains how the incident will be reviewed to identify what can be learned so that improvements can be made
• Service user and/or their family/ carer as appropriate are asked what questions they would like answered as part of the review
• Terms of reference of reference for the review are shared with service/user and /or their family /carer as appropriate
• Point of contact for updates and timescales agreed
• Investigation outcomes and learning shared and questions answered
• Written Duty of Candour letter sent
5.1 Information Governance Incidents Involving and Informing
For Information Governance incidents where a breach of personal data has been identified the level of involvement and engagement should be proportionate the incident and the data breach. Where a single person is involved the service manager should offer a swift apology and explanation of what happened and what is being done to put things right. Where multiple people are affected or the breach is serious the service Director should work with the Information Governance Officer and Senior Information Risk Owner (SIRO) to agree how people will be informed and what feedback mechanism will be put in place to allow people to contact the organisation and ask to questions /discuss their concerns.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
The incident handler/service lead and Provide Information Governance lead will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again, the risk is higher. In such cases, the incident handler/service Manager or Director depending on severity will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of harm to them.
One of the main reasons for informing individuals is to help them take steps to protect themselves from the effect of a breach. Where a significant or high risk is identified the Safeguarding team should also be made aware to assess any potential safeguarding risks that need to be reported and managed to protect the safety of those involved.
5.2 Patient Safety Partners
Within Provide Patient Safety Partners (PSPs) will be actively involved in the design of safer health care at all levels in the organisation. They are members of the public with lived experience employed to support the organisation consider the impact of quality and safety processes and outcomes from a service user perspective. While their title incorporates the word patient, their expertise will support across all areas of the provide Group.
6. Incident Reporting
Staff are encouraged to report No Harm and/or Near Miss incidents; from a risk management perspective as they help guide procedures to avoid reoccurrences. Timely reporting of incidents allows provide to:
• Reduce the likelihood of reoccurrence
• Provide feedback and information to those involved
• Improve practice as a result of the findings
• Set priorities for investment in training or other resources
• Assess and prepare for legal action
• Promote shared learning across the organisation
All areas of the Provide Group will utilise the Datix Incident Reporting System to record incidents and near misses with the exception of the Domiciliary care services that will utilise the Access Care Management System to record incidents in the client record.
All incidents should be reported without delay to the person in charge of the service at the time of discovery and should be recorded in the Datix/Access system as appropriate within 24 hours of the incident occurring or having been discovered It is the responsibility of the most senior member of staff on duty when the incident occurs to ensure the incident reporting process is completed.
The reporter must ensure that when recording details of the incident they must be factual and accurate and should not offer opinion or seek to apportion blame. The information recorded should be sufficient to enable a clear understanding of what happened and what steps were taken to support the people affected and to prevent any further harm or potential harm occurring to anyone else
It is the Line Manager’s responsibility to ensure that staff are aware of their responsibility of reporting incidents into Datix or Access. It is every staff member’s responsibility to acquaint themselves with Datix or Access and to report accordingly. The member of staff that identifies and reports the incident is known as the ‘Reporter’.
Where an incident results in death or severe harm this should be reported without delay to the Director Responsible for the service (in hours) or the Director on-call (out of hours.) This is to ensure appropriate action can be taken by the Director to support the safety of colleagues /the service user / the public as appropriate and they will manage the incident ensuring onward informing and reporting as appropriate.
What is an Incident?
What is Harm?
Harm is the actual impact on a person from the particular incident being reported. This could be an injury (physical or psychological), disease, suffering, disability, or death.
Harm is related directly to the incident and not related to the natural progression of an illness or underlying condition
7. Incident Types
Staff should report anything, which causes them concern regarding the health, safety or wellbeing of themselves or others involved with, or affected by, the organisation’s activities. Some examples of what should be reported are:
• Incidents that cause no harm but had a potential to cause harm and may recur or cause actual harm if not addressed – these incidents are known as near misses
• Those that cause low harm, moderate harm, severe harm or death as a result of the way care was delivered or due to issues with the systems and processes used by the Organisation.
• Those that involve property or equipment being faulty, damaged or stolen
• Those that concern loss, theft or inappropriate sharing of personal information
• Those that involve violence or aggression towards staff, visitors or service user’s
• Those that stop a service running effectively due to an issue with facilities, premises, staffing or any other reason
• Those where no people were involved: for example, medicine storage issues, flooding in a building: computer access issues, test result issues
• Those that occur as a result of a system, process, care delivery or communication issue between Provide Group services and another provider that has resulted in a near miss or actual harm (transfer of care issues are an example)
• Incidents that occur where care was provided by another organisation as would be the case when caring for people who have formal care packages in place or where people reside in a care home where their care is provided or where joint care provision is in place
• Those that occurred to a service user while in care of another provider but has been identified when coming into the care of Provide Group (e g a pressure ulcer is identified on admission or wrong medicine dispensed by a pharmacy etc)
8. Recording Harms
When an incident occurs it is important to record the level of harm that has resulted so that appropriate action can be taken to support the people affected and ensure that there is an accurate record of what occurred at thetime. Themes and trendsfrom harms can help inform improvements in safety and quality. It also helps to identify when a notifiable safety incident has occurred which needs to be reported to the Care Quality Commission and identifies where the Duty of Candour applies.
When recording an incident the actual level of harm apparent should be recorded based on the best information available at the time Potential harm should not be recorded. Potential harm is the harm that could have occurred but hasn’t actually happened or isn’t apparent at the time If more information becomes available harm levels can be reviewed and updated to more accurately reflect the actual level of harm that resulted.
Recording harms can be difficult. Below are some examples to guide accurate harm recording:
• A document containing sensitive patent information is sent to the wrong patient. This is very serious and should be recorded as an incident but although serious as we have a duty to protect people’s information this should not be recorded as a serious harm if the people concerned have not been physically or psychologically harmed and they may be cross about the sharing but not impacted long term psychologically so the incident should be recorded as a no harm incident.
• If a patient dies or is found deceased, this is a very serious situation but their death may not have occurred as a result of a care safety issue or organisational safety issue as they died of natural causes. Therefore no harm has occurred
• If a service user died during the delivery of care or treatment as a result of a care safety issue, for example they died as a result of an unexpected or unintended event this would be a fatal harm
• If a service user died of natural causes but experienced a care safety issue that did not cause or contributeto their death but was an unintended or unexpected incident, for example, they were given only one of their pain killer tablets instead of 2 causing unnecessary pain and discomfort, this would be a low harm incident
• A category 3 pressure ulcer or wound is discovered on admission. While the wound may need treatment it did not arise as a result of care delivery by Provide therefore
no harm has occurred while in our care but the harm level should still be recorded appropriate to the level of care and the impact experienced by the service user but the reporter should state ‘No’ to the question “Did the incident occur whilst the patient was under your organisation’s care. ”
• If a person has multiple pressure ulcers that developed by the same mechanism this only needs to be recorded once with the harm level recorded in line with the pressure ulcer with the highest level of harm
• If a service user has multiple pressure ulcers which developed due to different mechanisms (i.e.one develops due to a monitoring device, and the other is related to profiling bed equipment), two distinct incidents have occurred and should be recorded as such.
• Harm levels for pressure ulcers cannot be standardised to categories. This means category 3 pressure ulcers should not routinely be recorded as a moderate harm and category 4 as severe harm. Instead the size and location of the pressure ulcer and the impact on the service user as a result should determine the harm that is recorded. A category 3 pressure ulcer could be recorded as low harm if it is small and likely to heal rapidly but may be moderate or severe depending on the size and location and the required treatment and long-term outcome
Where there is uncertainty about the level of harm caused the service the Quality and Safety Team can be contacted for guidance
9. Harm Levels
Harm level should be identified using the descriptors below. The Harm recorded should be the actual harm that resulted not the potential harm.
Near Miss
No harm has occurred as an intervention prevented the incident harming someone
No Physical Harm
An incident actually happened but no harm has occurred
No Psychological harm
Being involved in any patient safety incident is not pleasant, but please “no harm’ should be selected if no specific psychological harm that meets the description of ‘low psychological harm’ or worse is identified. Pain should be recorded under physical harm rather than psychological harm.
Low Physical Harm
All of the following must apply:
• minimal harm occurred – person/people required extra observation or minor treatment
• did not or is unlikely to need further healthcare beyond a single GP, community healthcare professional, emergency department or clinic visit
• did not or is unlikely to need further treatment beyond dressing changes or short courses of oral medication
• did not or is unlikely to affect the affected person(s) independence
• did not or is unlikely to affect the success of treatment for existing health conditions.
Low Psychological harm
At least one of the following must apply:
• distress that did not or is unlikely to need extra treatment beyond a single GP, community healthcare professional, emergency department or clinic visit
• distress that did not or is unlikely to affect the person(s) normal activities for more than a few days
• distress that did not or is unlikely to result in a new mental health diagnosis or a significant deterioration in an existing mental health condition
Moderate Physical Harm
Harm that requires a moderate increase in treatment and at least one of the following must apply:
• has needed or is likely to need healthcare beyond a single GP, community healthcare professional, emergency department or clinic visit, and beyond dressing changes or short courses of medication, but less than 2 weeks additional inpatient care and/or less than 6 months of further treatment, and did not need immediate life-saving intervention
• has limited or is likely to limit the patient’s independence, but for less than 6 months
• has affected or is likely to affect the success of treatment, but without meeting the criteria for reduced life expectancy or accelerated disability described under severe harm.
Moderate Psychological harm
At least one of the following must apply:
• distress that did or is likely to need a course of treatment that extends for less than six months
• distress that did or is likely to affect the patient’s normal activities for more than a few days but is unlikely to affect the patient’s ability to live independently for more than six months
• distress that did or is likely to result in a new mental health diagnosis, or a significant deterioration in an existing mental health condition, but where recovery is expected within six months
Severe Physical Harm
At least one of the following must apply:
• permanent harm/permanent alteration of the physiology
• needed immediate life-saving clinical intervention
• is likely to have reduced the patient’s life expectancy
• needed or is likely to need additional inpatient care of more than 2 weeks and/or more than 6 months of further treatment
• has, or is likely to have, exacerbated or hastened permanent or long term (greater than 6 months) disability, of their existing health conditions
• has limited or is likely to limit the patient’s independence for 6 months or more.
The harm recorded should be the harm that has directly resulted from the incident and not related to the natural course of the service user's illness or underlying condition.
Severe Psychological harm
At least one of the following must apply:
• distress that did or is likely to need a course of treatment that continues for more than six months
• distress that did or is likely to affect the patient’s normal activities or ability to live independently for more than six months
• distress that did or is likely to result in a new mental health diagnosis, or a significant deterioration in an existing mental health condition, and recovery is not expected within six months
Fatal
You should select this option if, at the time of reporting, the person(s) has died and the incident that you are recording may have contributed to their death
• the death of the person - directly due to the incident, rather than the natural course of the person's illness or underlying condition
When recording psychological harm, you are not required to make a formal diagnosis; your answer should be an assessment based on the information you have at the point of recording and can be changed if further information becomes available
The Datix recording system requires the “overall level of harm” to be recorded once the physical and psychological harm levels have been recorded. To record overall level of harm the highest level of harm be it physical or psychological should be recorded as the overall level of harm . E.g. if physical harm is moderate but psychological harm is low the overall level of harm would be “moderate.”
10. Incidents involving multiple people
Where an incident occurs that impacts on more than one person the harm level should be recorded for each person up to 10 people. If a safety incident affects more than 10 people only one incident form needs to be completed with the details of the person with the highest level of harm in the category fields and outline the other impacts within the “describe what happened” free text field including the number of patients involved. In these instances, it is likely a patient’s safety /serious incident investigation will be instigated and the harm impact experienced by each person involved should be recorded as part of the investigation.
11. Preservation of Evidence
Where equipment or medical devices may have been involved in an incident where harm occurred, do not disassemble, clean, decontaminate or alter control settings. Report the incident to a senior manager and follow their advice on where and how to secure the equipment which can then be examined as part of an incident investigation.
In the case of a possible or actual criminal incident no action must be taken to clean up an area until the Police have attended. Any evidence must be preserved until the Police have completed their investigation. However, if the safety of service users or staff is at risk reasonable precautions must be taken to remove the danger.
In some serious incidents it is important clinical records and other records are secured to prevent sharing, loss or tampering. Where this is necessary the Service Director will work with the systems team to secure them.
12. Incident Management
Safety is everyone’s business and when an incident happens it is the responsibility of the person who discovered the incident to respond immediately to provide appropriate care to the people involved in line with their competence and role and take action to protect the people involved from further harm or potential harm. They should report the incident to the most senior person on duty without delay and where a person has experienced severe harm or fatal harm they should also report the incident without delay to the Director for their service (in-hours) or the on-call manager (out of hours)
Incident investigation is important to identify why an incident may have happened and to identify lessons that should be learned to prevent a recurrence and improve quality. Provide’s approach to incident management is that it should be proportionate and appropriate to the incident that has happened. For any incident that involves service users the principles of the NHS Patient Safety Incident Response Framework (PSIRF) and methodologies will inform the response and investigation across all provide Health and Social Care Service as it is recognised the Framework sets out processes that are not NHS centric and can be applied organisation wide.
Where possible, incidents should be managed locally where the people who work in the services are best placed to explore what happened and identify ways to improve safety. Where incidents have resulted in significant harm or have impacted or have the
potential to impact more people a more detailed response may be required if the harm resulted from care or service delivery issues.
12.1 Health and Safety Incidents
In the majority of instances, the incidents that occur will not cause harm, be near misses or will result in low harm and the cause of the incident will be clear. It is the responsibility of the relevant manager to ensure that any incidents that occur in their area of responsibility are investigated, and the appropriate remedial action is taken to ensure, as far as possible, there is no recurrence. Investigation of health and safety incidents follow the same processes as for clinical incidents so that they are appropriately investigated and reported and improvements in safety can be made.
The Health and Safety team are available to support managers and others on matters which might reasonably lie outside the competence of those carrying out an incident investigation.
12.2 Local Level Incident Management
Where there has been a near miss, no harm or low harm incident. The incident can be managed at the local service level by the designated incident handler (the handler) in conjunction with the service manager. The incident review should be completed within 2 weeks of the incident being reported.
The handler must ensure the people affected have been provided with appropriate care and support and that they have been informed about what has happened and what is being done to keep them safe. Where the handler identifies an on-going risk this should be escalated to the manager of the service and onward to Director for the service for review and action. The service manager must ensure all staff within the service are aware an incident has happened and ensure the learning to improve quality is embedded.
The handler must record in the Datix / Access system the outcome of their review into what happened and what actions they have taken. They should also review the harm level that is recorded to ensure it is accurate. If a harm level is more severe than initially recorded and is identified as moderate or severe the handler should report this to the service manager and onward to the service Director. The Quality and Safey team must also be notified so that an assessment can be made as to whether a more detailed investigation is required to identify the learning to improve quality and to ensure any Duty of Candour requirements are met.
12.3 Intermediate Level Incident Management
Where there is an incident reported with a moderate harm level the Handler must complete a review of the incident within 2 working days to identify the accuracy of the harm level The Handler will review the circumstances of the incident ensuring all appropriate steps have been taken to assure the safety of the people affected, escalating to the service manager and onward to the service Director where they identify on-going risks. In all cases the service manager will ensure an apology if appropriate is completed as part of the incident management process and subsequently complete Duty of Candour if the incident is a notifiable safety incident
Along with the handler, the Quality and Safety Team will review all incidents and where moderate harm is identified or where there is potentially gaps in care that need further review the incident will be presented by the handler at the Incident Review Panel (IRP)
The Incident Review Panel will consider the facts of the incident and will confirm and agree if the incident can be finalised and closed as local management and learning if appropriate; or they may recommend that the incident is further reviewed to achieve greater insight and learning from the incident. If this is the case an Incident Review Group (IRG) will be convened the Quality and Safety Team and will include the service Director The IRG will review the incident and confirm if the incident should be reviewed in more depth utilising one of the following methodologies appropriate to the type of service where the incident occurred:
• After Action Reviews (AAR) in health and social care services
• Patient Safety Incident Review (PSIR) process in health care services
• Safety Incident Review (SIR) process in social care services
If a review of the harm level is identified as more severe than moderate, then the investigation will be escalated to a serious incident level management process
12.4 Serious Incident Level Management
A serious incident is an event where something unexpected or unintended has happened, or failed to happen and where the consequences are so significant that a structured approach is required to ensure the safety of the people involved and to ensure a thorough review and investigation is completed to learn from the event and improve quality and safety. The types of event that would require a more structured approach are:
• Those that resulted in or had the potential to result in severe harm or death as a result of service delivery/care delivery (not a natural progression of disease)
• A near miss where the potential for harm is very great if systems or practice are not changed
• Actual or alleged abuse; sexual abuse, physical or psychological ill-treatment, or acts of omission which constitute neglect, exploitation, financial or material abuse, discriminative and organisational abuse, self-neglect, domestic abuse, human trafficking and modern-day slavery where the organisation did not take appropriate action/intervention to safeguard against such abuse occurring
• Never Events. These are defined as Serious Incidents that are wholly preventable because guidance or safety recommendations that provide strong systemic protective barriers are available at a national level and should have been implemented by all healthcare providers. NHS England publishes a reviewed list of Never Events annually and any organisations Providing NHS care are expected to closely monitor the occurrence of Never Events within the services they provide
• Those where multiple people are affected such as:
• A significant test result issue with the potential that one or more people have been harmed or could be harmed
• A significant Information Governance breach
• A significant outbreak of infection or disease affecting with the potential that one or more people have been or could be harmed
• A significant business continuity issue occurred with the potential to affect the organisation’s ability to deliver safe services or the incident has affected people who have been or could have been harmed
Where a serious incident occurs, staff on duty should take immediate steps within their competence and role to keep people safe and escalate without delay to their manager and onward to the Director responsible for the service (in hours) or the Manager oncall (out of hours.) The Director /On-call manager will take charge of the situation to ensure the safety of people involved and for informing the Chief Officer responsible for the service in office hours or the Executive on-call out of hours.
The Director responsible for the service will lead the overall response to support the management and recovery of the service following the incident ensuring those involved are appropriately supported. This may be part of a Business continuity or major incident response if the incident is very significant or involves multiple people where a more robust command and control process is required. If the incident involves less than 10 people and is unlikely to recur or impact on service continuity the incident could be lead to resolution by the Service Director.
13. Information Governance Incident Management
All organisations processing Health, Public Health and Adult Social Care Personal Data are required to use the Data Security and Protection (DSP) Toolkit Incident Reporting Tool to report level 2 IG incidents that occur. The DSPT toolkit will further assess the incident and where appropriate, automatically reports it to the Information Commissioners Office, the Department of Health, and other regulators.
For most incidents a local review and learning can be undertaken by the Incident handler with support from the Group IG lead following the level 1 incident management process. The IG Serious Incident Reporting Checklist on Datix or Access should be completed as part of the review. Any IG Incidents categorised as Level 2 or above must be reported to the Group Chief Finance Officer who is the designated Senior Information Responsible Officer (SIRO) for the Group. The SIRO will confirm if the incident meets the criteria of a serious incident reportable via DSPT toolkit to the ICO and will request the Quality and Safety Team to convene a Serious Incident Review Panel. The incident will be managed following the level 3 incident management process and serious incident investigation process.
All Information Governance Serious Incidents (level 2) should be recorded on the Data Security and protection Toolkit (DSP Toolkit) without undue delay (not later than 72 hours of the breach being notified) with as much information as can be ascertained at the time. This will be completed by the organisation’s Information Governance Lead. To enable them to meet this deadline all IG breaches should be reported onto datix or Access without delay and be reported to the IG lead. A full record of the incident should be completed within 5 working days from when the incident was initially reported. Once incident management and investigation procedures have been followed the incident must be reported on the DSPToolkit, where required in a timely manner and in any case within 72 hours of discovering the incident/breach. Failure to meet the above requirements exposes Provide Group to an administrative fine.
14. Serious Incident Management
The Chief Officer responsible for the service where the incident occurred or Chief Officer designated by the Group Chief Executive if the incident affects multiple services will be accountable for ensuring service safety and recovery following a serious incident.
To support the investigation of a serious safety incident or significant event the Quality and Safety Team will discuss the incident with the relevant service Director and Chief Officer as well as the Chief Executive for Health and Group Chief Nurse Group or their deputy to confirm that the incident should be designated as a serious incident.
The Quality and Safety Team will notify the Senior Leadership Team of the incident and will convene a Serious Incident Review Group (SIRG). The purpose of the SIRG will be to:
• Review the known facts of the incident and assess the level of harm that has occurred and consider if others are at risk of harm, working to put mitigations in place where needed. Where multiple people are affected, they will put in place a process to review and confirm harms for each individual involved.
• Agree how the incident should be investigated (i.e. following the NHS Patient Safety Incident Response Framework for NHS commissioned services, following the Serious Incident Process for Non- NHS services or commissioning an external investigation if a more independent review is required).
• Agree if the incident can be investigated by a single investigator or whether a panel is required to bringexpertise together tomanage the scale of the incident.
• Consider what other investigations have already been instigated or may be instigated to avoid duplication e.g. LeDeR, Coroner inquest, Police Investigation, HSE investigation or other.
• Designate an investigating officer/s or Investigation Panel (Chair and members of the panel to be identified)
• Agree terms of reference for the investigation
• Agree timescales for the investigation and how often SIRG needs to meet to track the progress of the investigation
• Agree how the people affected will be involved and engaged including having their voices heard, questions answered, and feedback given on outcomes and learning
• Ensure Duty of Candour is completed.
• Ensure the investigation progress is tracked to avoid unnecessary delays
• Review the draft report to ensure all the terms of reference have been answered
• Agree the final version of the report and recommendations
• Consider wider organisational learning and how this is shared
• Co-ordinate any complaint response or media enquires as part of the overall incident management
• Ensure notification has been completed as required this may include notification to:
• The Senior Leadership Team
• The Care Quality Commission
• The Health and Safety Executive
• The Information Commissioners Office
• The Commissioner for the service
• UKHSA
• MHRA
• The Police
• The Local Authority if there are Safeguarding concerns
• Other
The SIRG will consist of:
• The Chief Officer responsible for the service or function (in their absence the Chief Executive for Health and Group Chief Nurse)
• The Group SIRO or their designated Deputy if the incident concerns Information Governance
• The Director responsible for the service
• The Service Manager /person with the detail of the incident
• The Director of Nursing and Allied Health Professions or deputy
• A relevant subject matter expert from the corporate teams as appropriate (or externally commissioned if deemed necessary).
• Others as requested by the chair
The Chief Officer responsible for the service will chair the SIRG unless the incident concerns information Governance or another corporate function such as Health and Safety where it may be more appropriate for another Chief to chair the panel.
14.1
Investigation Methodologies
In line with the NHS Patient Safety Incident Review Framework (PSIRF) the approach to incident management in NHS commissioned services will follow the principles of the framework as set out in the Provide Group PSIRF Plan. Staff involved in undertaking investigations will utilise the recommended, proportionate approach and tools to maximise learning
In non – NHS commissioned services the Serious Incident Investigation approach will be utilise the PSIRF tools and methodologies to standardise the Provide Group approach to investigations to maximise learning.
Investigation Methodologies Guide
These methodologies are recommended for all incidents across the Provide Group. Alternative methodologies may be utilised with the agreement of the relevant Chief Officer and Quality & Safety Team
Safety Event Methodology Monitoring
Near miss/ Low harm/ No Harms
Local investigation and learning Swarm huddles may be utilised
Outcomes will be recorded in Datix /Access System record
Moderate Harms
Fatal /Deaths
Unexpected deaths not likely to be as a result of care delivery issues
Significant Events:
• Never Events
• Severe Harm
• Fatal unexpected death (as a result of care delivery issues not natural progression of disease)
• Large numbers of people
• Local Investigation and learning where no gas/minor gaps in care are likely and the incident can be resolved with local learning or the harm is more likely than not to be as a result of the natural progression of disease. Outcomes will be recorded in Datix /Access System record
• If uncertainty or more likely than not care or service delivery issues contributed to the harm the incident will be reviewed at the Incident Review Panel who will recommend one of the following process to identify the learning:
• A Patient Safety Incident review /Safety Incident Review (PSIR/SIR) in line with the PSIRF / SUSIRF plan or After-Action Review (AAR)
An action plan will be instigated to embed the learning from a PSIR or AAR
• Structured Judgement Review in line with the Learning from Deaths Policy will be used
• LeDeR process will be followed for deaths concerning people with learning disabilities
An action plan will be instigated to embed the learning from an SJR or LeDeR review
All PSIRs will be reported to the Quality and Safety Committee
A Serious Incident Review Group to be convened to agree methodology which could include:
• For NHS services - Patient safety Incident Investigation (PSII)
• For non- NHS services - Safety Incident Investigation (SII)
• External Investigations may be commissioned by Provide if more independence is required
• External Investigations may be undertaken by:
▪ HM Coroner
▪ NHS Enquiries
▪ LeDeR
▪ Child Death Review
▪ Safeguarding Adult Review
▪ Section 42 Safeguarding Review
▪ Police Investigation
▪ Regulator Investigation
▪ HSE Investigation
Incident themes and trends oversight by service Directors and Quality & safety Team to identify areas for Quality Improvement
Incident themes and trends oversight by service Directors and Quality & safety Team to identify areas for Quality Improvement
Incident themes and trends oversight by service Directors and Quality & safety Team to identify areas for Quality Improvement
Quality Assurance visits or audits will be utilised to test recommendations and learning have been sustained
harmed or harm unknown but it is possible people have been harmed or would be harmed if learning is not achieved
All serious incident investigations will have an action plan to implement the recommendations
All serious incident investigations will be reported to the Quality and Safety Committee
Methodology Descriptors
PSIR ( Patient Safety Incident investigation)
SIR (Safety Incident Investigation)
PSII (Patient safety incident investigation)
SII (Safety Incident Investigation)
Multidisciplinary Team (MDT) review
PSIR /SIR Reviews are led by staff trained to conduct reviews to achieve learning and the review and learning is recorded in a PSIR /SIR template. PSIR /SIR training and templates align to the NHS Patient Safety Incident Response Framework
A PSII/ SIIs are led by staff trained to conduct investigations and the investigations utilise the tools and templates aligned to the NHS Patient Safety Incident Response Framework These investigations explore decisions or actions as they relate to the situation. The method is based on the premise that actions or decisions are consequences, not causes, and is guided by the principle that people are well intentioned and strive to do the best they can. The goal is to understand why an action and/or decision was deemed appropriate by those involved at the time and to establish how changes can be made to improve safety. The National PSII template is utilised to guide standardisation of approach and report and the SII template mirrors this approach but has been adapted to suit social care services
The MDT review supports health and social care teams to:
• Identify learning from multiple safety incidents (including incidents where multiple people were harmed or where there are similar types of incidents)
• Agree, through open discussion, the key contributory factors and system gaps in patient safety incidents for which it is more difficult to collect staff recollections of events either because of the passage of time or staff availability.
• To explore a safety theme, pathway, or process.
• To gain insight into ‘work as done’ in a health and social care system.
After Action Review (AAR) An After-Action Review method of evaluation usually takes the form of a facilitated discussion following an event or incident. It enables understanding of the expectations and perspectives of all those involved, and it captures learning, which can then be shared more widely.
AAR generates insight from the various perspectives of the MDT and can be used to discuss both positive outcomes as well as incidents. It is based around four questions:
• What was the expected outcome/expected to happen?
• What was the actual outcome/what actually happened?
• What was the difference between the expected outcome and the event?
• What is the learning?
Post Infection Review (PIR)
Swarm Huddle
Thematic Review
The principal purpose of the Post Infection Review (PIR) is to support commissioners and providers of care to deliver zero tolerance on bloodstream infections. The purpose of the PIR is to identify how a case of bloodstream infection occurred and to identify actions that will prevent it reoccurring. This review is a cross-system process and enables pathways of care and treatment to be examined to identify improvements and/or change.
A swarm is designed to start as soon as possible after a patient safety incident occurs. Immediately after an incident, staff ‘swarm’ to quickly analyse what happened and how it happened and decide what needs to be done to reduce any risk. Swarms enable insights and reflections to be quickly sought and generate prompt learning. This has the benefit of staff being able to readily recall key information that may be forgotten over time, and to support staff that the aim is to identify learning and improvement in a Just Culture.
A thematic review can identify patterns in data to help answer questions, show links, or identify issues. Thematic reviews can sometimes use a combination of qualitative data with quantitative data to inform findings.
Thematic review can be used to inform a safety incident response plan, analyse a safety incident or theme and inform or assess the impact of a safety /quality improvement plan
15. Timescales for Incident Management & Investigation
What happens
Incident Reported on Datix or Access system
Handler Review of No Harm /Low Harm Incidents
Handler Review of Moderate Harm incidents
Service Director review of severe Harm or Fatal Harm incidents
Quality and Safety Team Review of all Datix Incidents
Incident Review Panel review Moderate Harm Incidents
Closure of Incidents
Swarm Huddles
AAR - After Action Reviews
When
As soon as possible after the incident is identified
Within 2 weeks of the incident being reported
With 2 working days
Within 1 working day
Within 2 working days
Within 21 days of the incident occurring
• For No Harm/Low Harm Incidents -within 21 days of the incident occurring
• For Moderate Harm Incidents being locally manged -within 21 days of the incident occurring
• For Moderate harm Incidents being investigated with AAR or PSIR /SIR within 3 months of the incident occurring
• Fatal Incidents subject to an SJR within 3 months of being reported
• Severe harm /Fatal harm being investigated as a serious safety event see Timescales below for PSII /SII
As soon as possible on the day of the incident
Within 20 days of the incident occurring
Who
The person who identified the incident
Incident Handler
Incident Handler
The Service Director /Manager on-call
Designated Quality and Safety Team Reviewer
Quality and Safety Team
Quality and Safety Team for Datix Incidents
Service CQC Registered Manager for incidents recorded on Access
Most Senior person on shift co-ordinates the huddle and records the learning
Lead identified at Incident Review Panel or by Service Director from AAR Conductor
Comprehensive Investigation
• PSII- Patient Safety Investigation
• SII -Safety Incident Investigation
Completion of action plans to embed the learning from incidents
Commences as soon as practical after Serious Incident Review Group commissions the investigation Completes within 6 months of being commissioned depending on complexity unless external processes dictate timescales
Within 4 months of an investigation being completed and the Final report being Approved
16. Learning from Incidents
list held by Quality and Safety Team
Serious Incident Review Group commissions investigations and maintains oversight
Service Directors
It is essential that learning from incidents inform improvement in quality and safety. All incidents provide an opportunity for learning and all staff are responsible for participating in investigations and embedding the learning.
When an incident occurs staff involved in the incident are encouraged to come together in “swarm huddle” to debrief and take stock of what has happened to support the wellbeing of all those involved. It is also a good opportunity to agree what steps they can practically take to ensure the safety of the people involved and to consider if there are any residual risks that need to be escalated without delay.
Service managers are responsible for ensuring the learning from incidents are recorded, shared with the team and embedded in practice. The Quality And Safety Team will maintain oversight of incidents, identifying themes and trends that can inform learning and improvements in quality and safety
The Quality Reference Group will maintain oversight of recommendations and action plans arising from incident investigations to ensure actions are completed in a timely manner, escalating to the Group Quality and Safety Committee where there are issues. They will also consider where there is wider learning for the organisation and share this in communication bulletins.
To Support learning from incidents Patient Safety Specialists will be involved in reviewing incident themes and trends and safety processes.
17. Shared Involvement with Other Organisations
For incidents involving other agencies or organisations, the possibility of jointly commissioning a single review will be considered by the Quality and Safety team for level 1 and 2 incidents or by the Serious Incident Review Group for level 3 incidents. The aim is to enable local reviews to proceed as soon as possible and for lessons to be learned, whilst ensuring coordination of procedures and avoiding duplication of processes. Robust communication is vital when more than one agency is involved in an incident.
18. Responsibilities
Provide Group Board
The Board will set in place an effective quality assurance structure that includes robust incident management processes and oversight of risks, themes and trends arising from incidents as well as reporting and oversight of all serious incidents
The Provide Group Quality & Safety Committee (QSC)
QSC is the designated Board Committee that will maintain oversight of quality and safety across the Provide Group. All serious incidents will be reported to QSC with the exception of Information Governance Incidents which will also be reported to the Finance and Investment Committee. QSC will request deep dives to explore incident themes and trends and will set in place processes to monitor and assure learning from incidents has been acted on and completed. This includes ensuring action plans to implement recommendations are completed
Group Chief Executive Officer (Group CEO)
Has overall accountability for all matters relating to incident reporting and management across the organisation and Provide Group. The Group CEO is responsible for ensuring that systems are in place to report and monitor incident data, respond appropriately to incidents, and learn with respect to all incidents. The Group CEO is also responsible for ensuring that relevant information is made available to the Provide Group Board with respect to reporting and learning from all incidents.
Group Chief Officers
Group Chief Officers are Responsible for:
• As part of the Senior Leadership team collectively maintaining oversight of incidents and risks across the Provide Group
• Ensuring appropriate management, investigation and embedding of recommendations and learning from incidents and lead on oversight and management of all risks associated with incidents.
• Declaring a serious safety incident when appropriate and initiating an appropriate management response and investigation
• Ensuring appropriate reporting of incidents and risks to company Boards, The Group Quality and Safety and Finance and Investment Committees as appropriate and ultimately to the Group Board.
The Chief Executive (Health) and Group Chief Nurse has responsibility across the Provide Group for Quality and Safety and maintains oversight of incident management across the Group via the Quality and Safety Team function
The Group Chief Finance officer has responsibility for and maintains oversight of all Information Governance incidents leading on management of all Serious Incidents associated with IG
If an incident requires a decision and in the absence of the Group Chief Officer responsible for the service the Chief Executive (Health) and Group Chief Nurse will make the decision in their absence. If both are absent the Group Chief Executive will decide.
Directors
Directors are Responsible for:
• Ensuring that they and all members of their staff are aware of and act in line with the relevant policies governing incidents and associated reporting and learning.
• Ensuring all incidents are appropriately managed within their services and identified learning and themes and trends are used to improve quality and safety.
• Leading the management response to serious incidents arising in their services and for collectively working to manage incidents effectively across the provide Group, so that all recommendations and learning are embedded within the services in a timely manner.
Service Leads/ Registered Managers
Service leads /Registered Managers are Responsible for:
• Ensuring their staff are aware of what to do if an incident or near miss occurs and how to report them
• Ensuring timely review and handling of reported incidents to ensure service safety and to assess harm levels
• Completing reviews and investigation of incidents to identify learning and taking action to improve safety and quality
• Escalating risks and incidents of concern to service Directors and the Quality and Safety Team
The Quality and Safety Team
The Quality and Safety Team is responsible for:
• Maintaining oversight of incident themes and trends across the Provide Group to identify opportunities for learning and quality improvement.
• Providing expertise on incident management to all staff across the Provide Group
• Facilitating the appropriate response to incidents as they arise.
• Putting systems and processes in place to ensure reporting and oversight to inform quality assurance.
• Supporting the training and education of staff on incident management.
The Health and Safety Team
The Reporting of Injuries, Diseases and Dangerous Occurrence Regulations (RIDDOR) 2013 requires a named responsible person on behalf of the organisation to report to the local office of the health and safety executive (HSE). The health and safety lead has been designated as the responsible person on behalf of the Provide Group.
The Health and Safety Lead will:
• be responsible for ensuring the statutory notification ofthose specified incidents to the health and safely executive (HSE).
• receive and manage the process of RIDDOR reportable incidents, checking that the forms are completed correctly and sent to the relevant office of the HSE in the prescribed timescale, normally 15 working days
Investigators / Handlers
Investigators / Handlers are Responsible for:
• Undertaking a comprehensive review of incidents ensuring the people involved are engaged and involved to ensure their lived experience informs the learning
• Escalating any risks that may affect quality and safety to the Service Manager.
• Identifying the learning from an incident and working with the service manager and staff to improve quality and safety
All staff (clinical and non-clinical) within Provide Group
All staff (clinical and non-clinical) are Responsible for:
• Being aware of what to do if an incident occurs to keep people safe and how to report it in hours and out of hours
• Reporting all incidents and near misses using the Datix Incident Reporting System or Access System as appropriate
• Informing their relevant Service Manager when incidents or near misses happen within their area, who in turn must inform the Service Director
• Contributing to investigations, being open and honest about their actions
• Contribute to the implementation of actions to improve safety and quality
• Speak up (whistle blow) if they are concerned about safety and quality where they work
19. Notifications and Reporting
Some incidents will require reporting to additional external bodies. Service Directors will work with Group Chief Officers and the Quality and Safety Team or Health and Safety Team where relevant to agree what notifications are required and completed
Commissioners /Lead Provider
Health and Social Care contracted services are required to report all serious incidents to the commissioner without delay and if provide is a sub-contractor the Lead Provider would need to be notified so they in turn can inform the Commissioner
Police
Criminal incidents will be reported to the police. These may include assaults or significant threats of harm, hate crimes, theft, vandalism, suspicious activity, or unexpected deaths. Incidents that are suspected to involve deliberate harm or neglect of a Service User may also need to be reported to the police.
If a matter needs to be reported to the police this can be done by the victim if they are able and want to report the incident or by Provide staff on behalf of the victim to ensure
their safety or in the case of an unexpected death to ensure appropriate reporting and investigation can take place Police can be informed by calling 101 for non- emergency incidents or by calling 999 in an emergency. All matters reported to the police should be recorded in Datix or Access and the Quality and Safety Team should be notified as soon as possible so the incident can be investigated and to ensure any onward reporting to the CQC is completed if required.
Care Quality Commission (CQC)
Statutory notifications are required to be sent without delay for organisations services regulated by the CQC in the following circumstances:
• Allegations of abuse (against Provide services)
• Death of a person using the service where the death arises as a result of service delivery and how it was provided
• Serious injury to a person where the injury arises as a result of service delivery and how it was provided
• Events that stop a service running safely and properly
• Police Involvement in an incident where the incident affected someone's health, safety and welfare when using, visiting or working at the service.
Up to date guidance can be found on the CQC website
Safeguarding
Where an incident occurs where there is suspected abuse or neglect should be reported to Social Care as they have a statutory duty to safeguard and promote the welfare of children and adults at risk
UK Health Security Agency (UKHSA)
The UKHSA prevents, prepares for and responds to infectious diseases, and environmental hazards. All notifiable infections if suspected or confirmed – a full list can be found on the UKHSA website
HM Coroner
Sudden and/or unexpected and/or unnatural deaths are notifiable to HM Coroner. In the event of a sudden death the Coroner is informed as a priority and as soon as practicable.
Health & Safety Executive (HSE)
Incidents notifiable under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR). The Health and Safety Team will ensure that they notify HSE following the RIDDOR process of any incident where a member of staff is unable to perform their normal job for more than seven days as a result of an accident or incident at work and about any other potential RIDDOR reportable incident.
Medicines & Healthcare Products Regulatory Agency (MHRA)
Suspected adverse reactions to drugs are notifiable by doctors, nurses, service users, and pharmacists through the Yellow Cards Scheme. Advice and Yellow Cards are available from the MHRA Website and are included in the British National Formulary (BNF). Adverse incidents relating to medical devices are also reportable to the MHRA. All incidents of Medical Devices will be reviewed by Provide Medical Device Safety Officer (MDSO)
Environmental Health Department
Confirmed reports of food poisoning are notifiable to the relevant Local Authority Environmental Health Department
Information Commissioner Office (ICO)
When a personal data breach has occurred, you need to establish the likelihood of the risk to people's rights and freedoms. If a risk is likely, you must notify the ICO; if a risk is unlikely, you don't have to report it. If a reportable incident is identified this must be reported to the ICO without undue delay and not later than 72 hours of becoming aware of it. If the breach is likely to result in a high risk to the individuals, then we must inform the affected individual without undue delay. The ICO provides guidance on the factors that we should take into account when assessing the risk.
NHS estates
Provide CIC is required to report incidents relating to fire, buildings, plant, and nonmedical equipment to NHS estates. Managers dealing with such incidentsmust contact the health and Safety Team with all the relevant information to enable the health and safety lead to complete the required report form.
20. Media
An incident may attract media attention and generate a demand for information from the public or service user(s) affected by the incident. Where potential media interest exists, this will be dealt with by the relevant Group Chief Officer with the support of the Head of Communication or another Group Chief in their absence
If necessary, a media response plan will be created. The plan will provide reassurance on any public interest issues and promote any help lines for members of the public or service users who may be adversely affected by the incident.
Staff should not respond to any media enquiries directly or comment on an incident in the media or on social media. All media enquiries should be directed to the Communications Team
Appendix 1: Assessing a Cyber Security Incident
All Cyber SIRIs entered onto the IG Toolkit Incident Reporting Tool, confirmed as severity level 2, will trigger an automated notification email to the DH and HSCIC. The primary factors for assessing the severity level is the criticality and scale of the incident In terms of the potential for impact on confidentiality, integrity or availability.
Please note: When targeted systems are protected e.g. by an Intrusion Prevention System, so that no services are affected. The sensitivity factors will reflect that the risk is low.
When calculating the severity of an incident the severity of a Cyber security incident there are 2 factors which influence the severity– Scale & Sensitivity.
Scale Factors the scale provides the base categorisation level of an incident, which will be modified by a range of sensitivity factors.
Cyber Baseline Scale*
0 No impact: Attack(s) blocked
0 False alarm
1 Individual, Internal group(s), team or department affected.
2 Multiple departments or entire organisation affected.
A further category of Cyber SIRI is also possible and should be used in incident closure to review the severity. Where it is determined that it was a near miss or the incident is found to have been mistakenly reported it should be categorised as:
• No impact: Attack blocked
• False Alarm
Where a Cyber SIRI has found not to have occurred or severity is reduced due to fortunate events which were not part of pre-planned controls this should be recorded as a “near miss” to enable learning from the event.
Sensitivity Factors
Sensitivity in this context may cover a wide range of different considerations and each incident may have a range of characteristics, some of which may raise the categorisation of an incident and some of which may lower it. The same incident may have characteristics that do both, potentially cancelling each other out. For the purpose of Cyber SIRIs sensitivity factors may be:
iii. Low – reduces the base categorisation
iv. High – increases the base categorisation
Internal Assessment Checklist (Datix) for Information Governance Incidents (IGSI’s)
• This form must be completed for each incident reported as a potential IGSI
• Once completed it must be attached in the documents section of the relevant incident recorded on Datix
• This form can also be completed on Datix.
• Any IGSI’s which achieve a level 2 or above must be counter agreed either by the SIRO or a Director of the organisation prior to inputting the incident on the DSPT Toolkit.
Example Incident Classification (Cyber SI)
A An organisation’s twitter and Facebook accounts are compromised and posts made by a group with forthright views on healthcare provision. The organisation knows a neighbouring
provider has also had issues with their social media accounts. Although it is easy to change the accounts password the trust is unsure how to prevent reoccurrence.
Baseline scale factor 1
Sensitivity Factors
+1 Likely to attract media interest
+1 Require advice on additional controls to put in place to reduce reoccurrence
+1 Aware that other organisations have been affected
Final scale point 4 so this is a level 2 and would be reportable
B A disgruntled technician from the IT Department who is due to be downgraded as part of a reorganisation deletes vast sections of the Active Directory structure (discovered through audit trails). The organisation’s recovery efforts were prolonged due to issues with backup and rollback issues, with IT “normality” returning 48 hours post event. The organisation does not have a full EPR and so was able to put contingency plans in place and consequently there was not intense media interest.
Baseline scale factor 2
Sensitivity Factors
+1 Critical business system unavailable for over 24 hours
Final scale point 3 so this is a level 2 and would generate an alert
C An organisation offers free WIFI for patients and visitors in its buildings. There is also a business WIFI which is used widely used with mobile devices used at the point of care to support clinical pathways. As part of a routine examination of audit logs it’s believed that a user of the public WIFI has managed to cross over from the public Wi-Fi to the business network. There is also some evidence that certain accounts have unexpectedly had elevated rights applied around the same time frame, though due to lack of system wide logging there it’s not clear what has been effected and whether the two events are connected. The organisation is unsure how to deal with the situation and switches off both public and business WIFI.
Baseline scale factor 2
Sensitivity Factors
+1 Critical business system unavailable for over 4 hours
+1 Require advice on additional controls to put in place to reduce reoccurrence
Final scale point 4 so this is a level 2 and would generate an alert
D An organisation utilises a 3rd party to provide a salary sacrifice car scheme. The provider’s website features the available cars and the ability to calculate your expected contribution. The website is hosted on an external cloud in North America which suffers a denial-of-service attack making the system unavailable for over half the working day.
Baseline scale factor -1
Sensitivity Factors
-1 A tertiary system affected which is hosted on infrastructure outside health and social care networks.
Final scale point -1 so this is a level 0 and would not generate an alert
E An organisations web site is subject was subject to large flux on incoming packets from an IP addresses outside the U.K. that intended for the site to be unavailable. The trust’s new IPS system detected the attack and took appropriate action so that the site suffered no loss of access.
Baseline scale factor 0 No impact: Attack(s) blocked
Sensitivity Factors
None
Final scale point 0 so this is a level 0 and this should be locally determined whether this should be logged. N.B. When determining reporting consideration should be given to the intelligence value of the incident(s) in informing Cyber responses and not the affect (or lack of) a particular incident(s).
F A service user complains that a member of staff has initially befriended them on social media then made a number of inappropriate approaches. The approaches are rejected which leads to a member of harassing and trolling the service user. Upon investigation it is discovered the member of staff has utilised business IT equipment and accessed social media sites in line with the organisations social media / fair usage policy. The member of staff has also disclosed details of where the service users resides and treatment plans.
Baseline scale factor 1
Sensitivity Factors
+1 Likely to attract media interest
Final scale point 2 so this is a level 2 and would generate an alert. This incident should also go through the IG SIRI classification due to the disclosure of confidential information.
Appendix 2: Process to categorise an IG incident
Step 1: Establish the scale of the incident. If this is not known it will be necessary to estimate the maximum potential scale point.
Scoring
0 Information about less than 11 individuals
1 Information about 11-100 individuals
2 Information about 101-1000 individuals
3 Information about 1,001 – or more individuals
Step 2: Identify which sensitivity characteristics may apply and adjust the baseline scale point accordingly.
Sensitivity Factors (SF) modify baseline scale
Select as many sensitivity factors as are applicable to the incident Scoring
(A) No Sensitive personal data (e.g. Health Information) (as defined by the Data Protection Act 2018) at risk nor data to which a duty of confidence is owed
-1 for each
0 for each
(B) Information readily accessible or already in the public domain (e.g. Information equivalent to that found in a telephone directory) Limited demographic data at risk e.g. address/name not included
(C ) Information unlikely to identify individual(s)
(D) Security controls/difficulty to access data
(E) Basic demographic information at risk e.g. telephone number
(F) Detailed clinical information at risk e.g. clinical/care case notes, social care notes
(G) Failure to implement, enforce or follow up appropriate policy/safeguards to protect information e.g. failure to encrypt mobile technology
(H) Individual(s) affected are likely to suffer substantial damage or distress, including significant embarrassment or detriment
+1 for each
(I) Likely to attract media interest and/or a complaint has been made directly to the Information Commissioner by a member of the public, another organisation or an individual
(J) One or more previous incidents of a similar type in the past 12 months
(K) Particularly sensitive information at risk e.g. HIV, STD, Mental Health, Children/Young
Internal incident score of 2 and above is reportable to SIRO who will establish if the incident should be reported on the DSPT toolkit and ICO.
For Further Information please refer to the HSCIC Guidance: Checklist Guidance for Reporting, Managing and investigating Information Governance and Cyber Security Serious Incidents Requiring Investigation
Appendix 3 Definitions /Glossary of Terms
Access System
Datix Incident System
Duty of Candour
Handler
Harm
Incident
Incident Review Panel
Electronic incident reporting and management utilising the Access Care Management System in Provide Group support at home services only
Datix Electronic incident reporting and management system utilising the Datix DCIQ system in all areas of the Provide Group except for support at home services which where the incident module in the Access Care Management system is utilised to record and manage the incident within the client record.
All health and social care organisations have a legal responsibility to be open and honest with people and their families when something goes wrong with their treatment or care and causes, or has the potential to cause, harm or distress. This includes saying sorry and taking action to put things right where possible
The person designated as the Handler of an incident reported on Datix or Access. They are the person who is responsible for managing the incident reported to ensure immediate steps are taken to support the people involved, ensuring appropriate care is provided. They then take action to review the incident to learn lessons and take action to prevent recurrence, escalating and reporting to senior managers where there is a risk of recurrence or where serious harm or death has occurred
Harm is the actual impact on a person from the particular incident being reported. This could be an injury (physical or psychological), disease, suffering, disability, or death. Harm is related directly to the incident and not related to the natural progression of an illness or underlying condition
Any event or circumstance arising that could have, or did, lead to unintended or unexpected harm, loss or damage to a person, property, or the organisation
This is a meeting for the incident handler and members of the Quality and Safety team to come together to review the circumstances of an incident that has a harm level of unknown or moderate recorded, Using their professional judgement they consider if an incident can be handled locally or if escalation to a more formal investigation is required to ensure the learning from the incident is achieved and quality improved
Information Governance Incident
An information governance incident is a suspected, attempted, successful, or imminent breach of security leading to the threat of or actual accidental, unlawful or unauthorised access to, use, disclosure, breach/loss, modification, or destruction of information, including personal information as defined by the UK’s data privacy regulations; interference with the operation of information systems; or a breach of information security policy or procedures, including the acceptable use of IT systems
Learning from Patient Safety Events (LFPSE):
Never Event
Notifiable safety incident
The NHS require mandatory reporting of all NHS patient safety incidents to the national Learning from Patient Safety Events system which allows for national oversight and learning from patient safety incidents and the system can be viewed by NHS organisations to allow benchmarking of incidents as well as by the Care Quality Commission who can monitor themes and trends across services they regulate
Any event or circumstance that did not result in harm, loss, or damage, but had the potential to do so e.g. a person is nearly given someone else’s medicine but the second checker spots the mistake and takes action to prevent the medicine being given. Therefore the incident did not occur but had it occurred harm may have resulted.
Never Events are defined as Serious Incidents that are wholly preventable because guidance or safety recommendations that provide strong systemic protective barriers are available at a national level and should have been implemented by all healthcare providers
This is a specific term defined in the duty of candour regulation. It should not be confused with other types of safety incidents or notifications. A notifiable safety incident must meet all 3 of the following criteria:
Near miss
Patient Safety Incident
Patient Safety Incident Response Framework (PSIRF)
1. It must have been unintended or unexpected.
2. It must have occurred during the provision of an activity regulated by the CQC.
3. In the reasonable opinion of a healthcare professional, already has, or might, result in death, or severe or moderate harm to the person receiving care
Something unexpected or unintended has happened, or failed to happen, that could have or did lead to patient harm
This is the national NHS framework that has replaced eth NHS serious incident framework which sets out a more proportionate and considered process to managing patient safety incidents in NHS contracted services. Refer to Provide Group policy
QSPOL15 Patient Safety Incident Response Policy for more information
Reporter Person who identifies an incident and reports it onto Datix / Access system
Safety Incident
Something unexpected or unintended has happened, or failed to happen, that could have or did lead to harm to a service user/ member of staff/ member of the public
An adverse event, where the consequences are so significant that a detailed response is justified. Examples are:
• Serious harm or death has occurred to service users as a result of care delivery or acts or omissions in care
Serious Incident
Serious Incident Review Group
• Serious harm or death has occurred to members of the public while visiting the organisation or to staff while undertaking their duties
• Test result errors affecting multiple people with the potential that one or more people have been harmed
• Multiple people are affected by the loss of, sharing of or inappropriate access to their personal data and the incident requires reporting and investigation in line with Information Commissioner guidelines
This is a meeting of senior managers to co-ordinate and oversee the investigation of serious incidents to ensure a robust investigation is undertaken to achieve learning from the incident
Appendix 4: Template Agenda for Initial SIRG
Agenda
Serious Incident Review Group Date & Time:
Item Agenda
1
• Welcome
• Declarations of Interest
2 Review of Events
• Incident to be investigated as a serious incident? Yes/ No
• Is this a NEVER Event Yes /No
3 Assess the level of harm
• Who has been harmed and to what level – is it confirmed
• Are others at risk of harm /potential risk of harm
• Agree process to track harm for all involved
4 Investigation Process
Agree how the investigation will be undertaken
Single investigator
Investigation Panel
External Investigator to be commissioned
External Agency e g NHS England, UKHSA, Coroner inquest, Police Investigation, HSE investigation or other.
5 Designate IO /Investigation Panel
• Identify an investigating officer or Investigation Panel (Chair and members of the panel to be identified)
6 TOR
• Agree Terms of Reference for the investigation
7 Involvement & Engagement
• Agree how the people involved will be informed, involved and engaged
• Confirm process for completing Duty Of Candour
8 Notifications
Identify who has been notified of the incident so far and consider who else needs to be notified who will complete the notifications
The Senior Leadership Team
The Care Quality Commission
The Health and Safety Executive
The Information Commissioners Office
The Commissioner for the service
UKHSA
MHRA
The Police
The Local Authority if there are Safeguarding concerns
other
9 Media
Consider if there is likely to be any media interest and agree management
10 Date and Time of next meeting:
Lead Papers
EQUALITY IMPACT ASSESSMENT TEMPLATE
Stage 1: ‘Screening’
The Equality Impact Assessment needs to be completed so that any decisions made are compliant with the aims of the Public Sector Equality Duty – and that any adverse impact for any protected characteristics are identified and resolved.
Policy Title
Provide Group Incident Reporting and Management Policy
Provide a brief summary (bullet points) of the aims of the Policy
To set out the process and principles of how incidents will be reported, managed and investigated across the Provide Group
EQIA Assessor Name and Job Title
Bridgette Beal
Director Nursing & Allied Health Professions
Date of Assessment
11 October 2024
This stage establishes whether a proposed initiative will have an impact from an equality perspective on any particular group of people or community or whether it is “equality neutral” (i.e. have no effect either positive or negative)
Q1. Will this policy affect one of the following groups more or Less favourably than another?
Group More Less Neutral
Age
Consider impact and detail across age ranges on old and younger people. This can include safeguarding, consent and child welfare
Disability
Consider and detail impact on attitudinal, physical, and social barriers.
Sex
Consider and detail impact on men and women (potential to link to carers)
Gender reassignment (including transgender)
Consider and detail impact on transgender and transsexual people. This can include issues such as privacy of data and harassment.
Pregnancy and maternity
Consider and detail impact on working arrangements, part-time working, infant caring responsibilities.
Race
Details If more or less, explain impact and any valid legal and/or justifiable exception. Include the source of any evidence
Consider and detail impact on different ethnic groups, nationalities, Roma gypsies, Irish travellers, language and communication barriers.
Religion or belief
Consider and detail impact on people with different religions, beliefs or no belief.
Sexual orientation
Consider and detail impact on heterosexual people as well as lesbian, gay and bi-sexual people
Carers
Consider and detail impact on part-time working, shift-patterns, general caring responsibilities
Other identified groups
Consider and detail on different socioeconomic groups, area inequality, income, resident status (migrants) and other groups experiencing disadvantage and barriers to access.
Assessed Impact overall Positive ✓ Neutral
Negative
Is the impact of the initiative – whether positive or negative - significant enough to warrant a more detailed Stage 2 assessment? Yes ✓ No
Guidelines: Things to consider
• Equality impact assessments at Provide take account of relevant equality legislation and include age, (i.e. young and old,); race and ethnicity, gender, disability, religion and faith, and sexual orientation.
• The initiative may have a positive, negative or neutral impact, i.e. have no particular effect on the group/community.
• Where a negative (i.e. adverse) impact is identified, it may be appropriate to make a more detailed EIA (see Stage 2), or, as important, take early action to redress this – e.g. by abandoning or modifying the initiative. NB: If the initiative contravenes equality legislation, it must be abandoned or modified.
• Where an initiative has a positive impact on groups/community relations, the EIA should make this explicit, to enable the outcomes to be monitored over its lifespan.
• Where there is a positive impact on particular groups does this mean there could be an adverse impact on others, and if so can this be justified? - e.g. are there other existing or planned initiatives which redress this?
• It may not be possible to provide detailed answers to some of these questions at the start of the initiative. The EIA may identify a lack of relevant data, and that data-gathering is a specific action required to inform the initiative as it develops, and also to form part of a continuing evaluation and review process.
• It is envisaged that it will be relatively rare for full impact assessments to be carried out at Provide. Usually, where there are particular problems identified in the screening stage, it is envisaged that the approach will be amended at this stage, and/or setting up a monitoring/evaluation system to review a policy’s impact over time.
QUALITY IMPACT ASSESSMENT TEMPLATE
Stage 2
To be used where the ‘screening phase has identified a substantial problem/concern)
This stage examines the initiative in more detail in order to obtain further information where required about its potential adverse or positive impact from an equality perspective. It will help inform whether any action needs to be taken and may form part of a continuing assessment framework as the initiative develops.
Policy/ Project Title
EIA Assessor Name and Job Title Date of Assessment
EIA Review by Chief Officer name and Job Title Date Of Review
Outcome of Chief Officer Review
Q1. What data/information is there on the target beneficiary groups/communities?
Are any of these groups under- or over-represented? Yes
Do they have access to the same resources?
What are your sources of data and are there any gaps?
No
Yes
No
Q2. Is there a potential for this initiative to have a positive impact, such as tackling discrimination, promoting equality of opportunity and good community relations? Yes No
If yes, how? Which are the main groups it will have an impact on?
Q3. Will the initiative have an adverse impact on any particular group or community/community relations? Yes
No
If yes, in what way? Will the impact be different for different groups – e.g. men and women?
Q4. Has there been consultation/is consultation planned with stakeholders/ beneficiaries/ staff who will be affected by the initiative? Yes No
Summarise (bullet points) any important issues arising from the consultation
Q5. Given your answers to the previous questions, how will your plans be revised to reduce/eliminate negative impact or enhance positive impact?
Are there specific factors which need to be considered? Yes No
Q6. How will the initiative continue to be monitored and evaluated, including its impact on particular groups/ improving community relations? Where appropriate, identify any additional data that will be required
Guidelines: Things to consider
• An initiative may have a positive impact on some sectors of the community but leave others excluded or feeling they are excluded. Consideration should be given to how this can be tackled or minimised.
• It is important to ensure that relevant groups/communities are identified who should be consulted. This may require taking positive action to engage with those groups who are traditionally less likely to respond to consultations, and could form a specific part of the initiative.
• The consultation process should form a meaningful part of the initiative as it develops, and help inform any future action.
• If the EIA shows an adverse impact, is this because it contravenes any equality legislation? If so, the initiative must be modified or abandoned. There may be another way to meet the objective(s) of the initiative.