%20(1)%20(1).png?width=309&height=69&name=image-001%20(2)%20(1)%20(1).png "periculo")
Cyber Incident Reporting for NHS Suppliers
You've worked hard to win NHS contracts. You've passed the audits, met the DSPT requirements, and built a reputation as a trusted supplier. The last thing you want is a cyber incident unravelling all of that, not because the incident happened, but because of how it was handled.
Here's the reality: cyber incidents affecting NHS suppliers are increasing. And when they happen, you don't just have one organisation to answer to, you have two. Miss either reporting window, and you're not just facing a regulatory fine. You're risking the contracts, the relationships, and the reputation you've spent years building.
This blog walks you through exactly what you're legally and contractually obligated to do, when to do it, and how to make sure you're ready before an incident ever happens.
What Actually Counts as a Reportable Cyber Incident?
Not every security alert is a reportable breach. But knowing the difference matters, because getting it wrong in either direction causes problems.
Personal Data Breaches Under UK GDPR
Under UK GDPR, a personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. In practice, that means:
- A ransomware attack that encrypts systems holding patient or staff data
- Unauthorised access to NHS records or client data
- A misdirected email containing personal information
- A lost or stolen device with unencrypted data
- Any system compromise where personal data may have been exposed
Not Every Incident Triggers ICO Notification
The ICO's threshold for mandatory reporting is whether the breach is "likely to result in a risk to the rights and freedoms of individuals." A blocked malware attempt with no data access? That probably doesn't need to go to the ICO.
But here's the catch: your NHS contract may require you to notify your client about broader security incidents regardless of whether they cross the ICO threshold. These are two separate obligations, and they need to be treated that way.
Your Dual Reporting Obligations
This is where many NHS suppliers come unstuck. They focus on one obligation and miss the other, or assume that complying with one satisfies both. It doesn't.
1. Reporting to the ICO (UK GDPR)
Under Article 33 of UK GDPR, you must notify the ICO of a personal data breach within 72 hours of becoming aware that one has occurred.
"Becoming aware" doesn't mean once your investigation is complete. It means when you have reasonable certainty that a breach has happened. You cannot delay gathering more information; you notify, then update.
Your initial notification must include:
- The nature of the breach, including the categories and approximate number of individuals and records affected
- The name and contact details of your Data Protection Officer or relevant contact
- The likely consequences of the breach
- The measures you've taken or plan to take to address it and mitigate harm
In some cases, you'll also need to notify affected individuals directly — particularly where there's a high risk to their rights and freedoms. This must be done without undue delay, in clear and plain language.
2. Notifying Your NHS Client (Contractual Requirement)
This is often the obligation that catches suppliers off guard. NHS contracts — particularly those aligned to the NHS Standard Contract — typically require breach notification within 24 to 48 hours, which is faster than the ICO's 72-hour window.
Check your specific contract. The timelines vary, but the expectation is consistent: your NHS client needs to know promptly, even if your investigation is still ongoing.
What they need from you immediately:
- The nature of the incident (ransomware, unauthorised access, data breach)
- Which systems and data are affected
- Whether NHS service delivery is impacted
- What initial containment steps you've taken
What they'll need in follow-up reporting:
- Root cause analysis
- Full scope of the impact
- Remediation completed and planned
- Lessons learned and preventative measures going forward
Your NHS client's information governance team will have their own reporting obligations to meet. Making their job harder by being slow or opaque will damage the relationship far beyond the incident itself.
The Timeline: What to Do and When
Within hours of discovery:
- Activate your incident response plan
- Begin containment and preserve evidence
- Determine whether personal data is involved
- Check your contractual notification timelines
Within 24–48 hours:
- Notify NHS clients per your contract, even if the investigation isn't complete
- Provide an initial incident summary and impact assessment
Within 72 hours:
- Submit your breach notification to the ICO if the threshold is met
- If you can't include all required information yet, submit what you have and commit to following up
In the days and weeks following:
- Provide detailed follow-up reports to both the ICO and your NHS clients
- Complete root cause analysis and full remediation
- Update your policies and controls based on what you've learned
- Document the entire incident response for DSPT compliance evidence
The Mistakes NHS Suppliers Commonly Make
Waiting until the investigation is complete before notifying. The 72-hour clock starts when you become aware, not when you have answers. Submit your initial notification and follow up.
Only reporting to the ICO and forgetting your contract. Regulatory compliance and contractual compliance are not the same thing. Your NHS client may have a shorter deadline — and breaching your contract is a serious consequence in its own right.
Underestimating the scope or severity. If you're uncertain, over-report and update. Regulators and clients consistently respond better to transparency than to minimised disclosures that later prove incomplete.
Failing to document everything. Your documentation is your evidence — for ICO investigations, DSPT compliance, and any contract disputes. If it isn't recorded, it didn't happen.
Not having a plan before an incident occurs. Templates, contact lists, decision trees, escalation paths — these need to exist before the pressure is on. Creating them in the middle of a crisis is too late.
Building an Incident Response Plan That Actually Works
Before an Incident Happens
Know your reporting obligations in advance. Identify the ICO's online breach reporting portal. Read your NHS contracts and extract the specific notification clauses and contact points. Map your internal escalation paths.
Create notification templates for both the ICO and your NHS clients. Maintain up-to-date contact lists. Establish clear criteria for what makes an incident reportable versus manageable internally. Train your team on how to recognise a breach and who to escalate it to.
During an Incident
Follow your plan. Contain, preserve evidence, and communicate. Don't wait for perfect information before notifying — be transparent about what you know and what you're still determining.
Engage legal, cybersecurity, and communications expertise as needed. Keep your NHS clients updated throughout, not just at the beginning and end.
After an Incident
Complete your formal reports. Conduct an honest post-incident review. Update your policies and controls. Monitor for regulatory follow-up. And make sure your DSPT evidence reflects the incident, and the response auditors will look for it.
What's at Stake If You Get It Wrong
ICO Enforcement
The ICO operates a two-tier fining structure under UK GDPR and the Data Protection Act 2018:
- Higher tier: fines up to £17.5 million or 4% of global annual turnover (whichever is higher) — applies to the most serious violations, such as breaches of core data protection principles or individual rights.
- Standard tier: fines up to £8.7 million or 2% of global annual turnover (whichever is higher) — this is the tier most likely to apply to a failure to notify a breach on time.
Even a standard-tier penalty represents a significant financial and reputational consequence. In addition to fines, the ICO can issue formal reprimands and enforcement notices, require remedial actions, and publicly disclose enforcement action — all of which can damage client trust and future procurement prospects.
NHS Contractual Consequences
- Breach of contract for failure to notify per contractual terms
- Potential contract suspension or termination
- Loss of future NHS business opportunities
- Required remediation plans and increased oversight
DSPT Impact
- Incidents must be logged and reported in DSPT submissions
- Poor incident management can result in a Standards Not Met assessment
- May affect access to NHS systems and data
Reputational Damage
- Loss of trust with NHS clients
- Media coverage of significant breaches
- Difficulty winning new NHS contracts
- Competitive disadvantage in procurement
What You Should Do Now
You don't need to wait for an incident to start protecting yourself.
Know your dual obligations — ICO 72-hour reporting and your NHS contract terms, which are often shorter. Review your current contracts and extract the specific notification clauses. Build or update your incident response plan and test it. Create notification templates for both the ICO and your clients. Train your team on what constitutes a breach and how to escalate it.
Most importantly: build the relationship with your NHS client's information governance team now, not during a crisis. Suppliers who communicate clearly and promptly during incidents don't just survive them; they often strengthen the relationship as a result.
A cyber incident doesn't have to end your NHS relationships. Your response, and how quickly and transparently you communicate, is what regulators and clients will remember.
The suppliers who weather incidents well are the ones who are prepared. They had plans, templates, trained teams, and pre-established contact points. They reported promptly, communicated clearly, and documented everything.
If that's not where you are today, it's worth investing the time to get there. The cost of preparation is a fraction of the cost of getting it wrong.
