Storing clinician mobile numbers on RDS

A data breach was identified on 18 March where media files with clinician mobile numbers were accessible without password protection on RDS. This was due to password-protection at parent node (listing page) level not cascading to media file types though it did cascade to other page types. Tactuum implemented a fix to address this issue on the same day. 

We would ask all editors to note that the RDS is not intended to be used to store clinician-specific information of this type. As far as possible, please identify alternative solutions – eg storing on the Intranet and signposting from the RDS.   In exceptional circumstances where it is necessary to store on RDS, please apply password protection and test it thoroughly. 

The HIS Information Governance team has asked that we require all editors to review their use of RDS for person-specific information of this type and to amend their approach as outlined above. Please complete this review by end of April 2026.