Sergey Nivens - Fotolia

NHS trusts need to prioritise data security, says Fiona Caldicott

National data guardian Fiona Caldicott’s report on data security in the NHS recommends 10 new data security standards that will apply to all organisations holding health and care information

Fiona Caldicott’s review of NHS information governance (IG) and data security sets out 10 new standards based around people, processes and technology.

While Caldicott said there is “a lot of good practice” across the NHS, there are problems where data is not always protected and organisations aren’t consistently held to account.

In September 2015, Care Quality Commission (CQC) was asked by health secretary Jeremy Hunt to undertake a review of the standards of data security across the NHS, to which Caldicott would use to develop new guidelines for data security standards.

The report, which was originally due to be published in April 2016, but was delayed due to the EU referendum, sets out a series of recommendations-including a redesigned IG toolkit to avoid a “tick-box exercise”.

Speaking at a press briefing, Caldicott said self-assessing your compliance would be a thing of the past and would be tested during regular audits of health and care organisations’ data security. The Health and Social Care Information Centre (HSCIC) should also be able to report organisations with poor control over data security to the CQC.  

“I would like to see it to be much more user-friendly, not to be a self-assessment toolkit. You can’t mark your own homework,” she said.

New standards

The report also recommends that NHS England changes its financial contracts to require organisations to take data security standards into account, and asks the Department of Health to put in place harder sanctions for malicious or intentional data security breaches.

The 10 data security standards set out in the report all highlight the need for leadership from the top of the organisation.

The standards include ensuring technology is secure and up to date, and that people are equipped to handling information safely and that staff have proper training and understand their responsibilities.

The report also recommends that personal confidential data is only accessible to staff who need it, and that processes are reviewed “at least annually to identify and improve processes which have caused breaches or near misses”.

Public consultation

Life and science minister George Freeman said the government accepted the recommendations in the report and is launching a consultation on the proposed data security standards, which will run until the first week of September 2016.

“As the health and social care system becomes increasingly paperless and digital it also becomes ever more important that there are adequate and robust protections in place to protect the data and information held within it,” he said.

“All health and care organisations that handle sensitive information should be working towards giving patients the highest levels of trust and confidence and reducing the risk of external threats and potential breaches.”

Read more about data security in the NHS

CQC chief executive David Behan said that without “robust processes” there is a risk that information may be compromised, not accessible when needed, or not kept confidential.

“We worked with 60 NHS organisations for this review, and those which demonstrated good practice on data security shared common characteristics: senior leadership who took this issue seriously and demonstrated ownership and responsibility; staff who were provided with the right information, tools, training and support; and systems and protocols designed around the needs of frontline staff, reducing the need for them to develop shortcuts to deliver timely patient care. But too often, not all these elements were in place,” he said. 

“CQC has set out six recommendations aimed at improving arrangements for protecting personal data, and assuring the new standards proposed by the National Data Guardian. These recommendations focus on three key themes that are fundamental to the secure handling of data: people, processes and technology. Ultimately, however, it is for NHS leaders to demonstrate clear ownership and responsibility for data security, just as they do for clinical and financial management and accountability.”

The CQC recommendations include making sure “IT systems and all data security protocols should be designed around the needs of patient care and frontline staff to remove the need for workarounds, which in turn introduce risks into the system”.

The CQC will also amend its assessment framework to include both “appropriate internal and external validation against the new data security standards” are undertaken.

Read more on IT risk management