Notifiable Scottish Public Sector Cyber Incidents are defined as incidents or attacks against Scottish public sector network information systems which:
- have the potential to disrupt the continued operation of the organisation or delivery of public services; and/or
- carry a likelihood that other public, private or third sector organisations may experience a similar attack, or that the incident could spread to other organisations; and/or
- could have a negative impact on the reputation of the Scottish public sector or the Scottish Government; and/or
- carry the likelihood of Scottish Parliament or national media interest.
NIS Regulations. If your Health Board has experienced a significant incident affecting the cyber security and resilience of systems that meet the Thresholds for Incident Reporting you are required to notify the Scottish Health Competent Authority (SHCA). This may also include impacts that have ‘non-cyber’ causes, for example interruptions to power supplies or natural disasters such as flooding, that have impacted on a service.
UK GDPR/DPA 2018. For the notification to the Information Governance team within the Scottish Government Digital Health and Care Division (DHAC) regarding a personal data breach that has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data which meets the Thresholds for Incident Reporting for reporting to the Information Commissioner’s Office. You have to make both notifications without undue delay and within 72 hours of becoming aware, where feasible. Consider informing NCSC if there are Cyber related issues to the data breach.
If the Incident has occurred outside core working hours and requires immediate attention then as well as completing the form you also need to contact the Duty Resilience Officer: SGoR Duty Officer – 07623 514719
Once completed, email your NIS Regulations Incident report to the Scottish Government’s Digital Health & Care Division, who, on behalf of the Scottish Health Competent Authority handle the operational duties and actively work towards ensuring networks and information systems are resilient. HealthCA@gov.scot
For a UK GDPR/DPA 2018 Breach send the completed Incident form to the Scottish Government’s Digital Health and Care Information Governance Team. DHCIG@gov.scot
If you decide the cyber incident requires NCSC’s support (for action) or is for wider interest (for information). Then as an Operator of Essential Services (OES) under the NIS Regulation, go to https://report.ncsc.gov.uk and use their form to alert NCSC.
You may have to notify two separate regulators about the same incident – CA and the ICO (if the same incident is also a personal data breach). You have to make both notifications without undue delay and within 72 hours of becoming aware, where feasible. This is in conjunction with reporting to your Competent Authority.