Sergey Nivens - Fotolia

NHS data security standards to be designed around technology, people and processes

The Care Quality Commission’s delayed review of NHS data security standards will encourage NHS organisations to have senior information risk owners and Caldicott Guardians at board level

In a letter sent out to all NHS trusts by the Care Quality Commission (CQC) and Dame Fiona Caldicott, trusts are encouraged to begin improving their data security capabilities.

In September 2015, health secretary Jeremy Hunt asked the CQC to undertake a review of the standards of data security across the NHS, to which Caldicott contributed by developing guidelines for the protection of personal data, against which every NHS organisation will be held to account

While the official review is delayed until after the European Union (EU) Referendum, the CQC and Caldicott have written to trusts about how they can prepare for the full report.

The letter, seen by Computer Weekly, says the data security standards “are designed to be as relevant to GPs and smaller care providers as they are to large NHS trusts”.

While there is some good practice across health and care already, the letter said the review has identified areas where “more could be done to protect against risk”.

“Identifying the appropriate leaders in your organisation with responsibility and accountability for data security is vital, just as it is for clinical and financial management and accountability,” the letter said.

It also said organisations are encouraged to have senior information risk owners (SIROs) and Caldicott Guardians on the board.

“Improving data security capability depends on staff at all levels having access to training which meets a national standard. This is particularly important for board-level leaders, SIROs, Caldicott Guardians and staff with responsibility for handling,” the letter added.

Read more about the NHS and security

  • The government’s Verify identity verification platform isn’t secure enough for the NHS, so Liverpool Clinical Commissioning Group and HSCIC are working to add extra levels of security.
  • NHS IT managers think security measures in the NHS are stronger than they actually are, according to a study.
  • As NHS England restarts its programme, we look at how it is intended to work, the legislative background and the data security concerns.

The Health and Social Care Information Centre (HSCIC) will look at how the “requirement can be met from suitably qualified suppliers, helping to ensure consistency and a focus on the specific challenges faced by health and care organisations”.  

Orgasnisations will also have to have processes in place to prevent data security breaches. HSCIC’s CareCERT programme aims to help front-line staff tackle potential breaches, and make the programme the “trusted brand” for cyber security in the NHS and social care.

The CareCERT team is also creating an information-sharing portal, which encourages people to understand their personal responsibility for data security. It is where all guidance and best practice will be issued.

Caldicott’s guidance on a consent and opt-out model for the sharing of patient information has also been delayed until after the referendum.

“In the meantime, we would encourage organisations to ensure there is a clear view of all data flows and the purposes and legal bases for these,” the letter said.

Read more on Healthcare and NHS IT

Data Center
Data Management