Recognising, reporting, and containing breaches

A personal data breach is not limited to hacking. ICO guidance defines a breach as destruction, loss, alteration, unauthorised disclosure, or unauthorised access to personal information. In pharmacy practice this commonly takes practical forms such as emails sent to the wrong recipient, dispensing bags handed to the wrong person, paperwork left visible, or staff accessing records without a legitimate reason.

Common pharmacy breach examples

• email or text sent to the wrong person
• prescription bag handed to the wrong patient
• sensitive conversation overheard because it was handled badly
• paperwork or labels left visible in a public area
• record looked at by a staff member with no need to access it

What staff should do first

• Contain the breach: try to recover the information and limit further exposure.
• Escalate immediately: inform the pharmacist, manager, or information governance lead.
• Record the facts: note what happened, when, who was involved, which information was affected, and what has already been done.
• Do not hide it: delay increases harm and complicates any regulatory response.

ICO guidance says all breaches should be recorded, even if they are not reportable. If the breach is likely to risk people's rights and freedoms, the organisation must report it without undue delay and, where possible, within 72 hours. If the risk is high, affected people may also need to be informed without undue delay.

Near misses should still be recorded and reviewed. Focusing only on obvious reportable breaches misses the everyday patterns that lead to larger failures.