Two reviews on how data is used and shared in the NHS and social care were published this week - the Review of Data Security, Consent and Opt-Outs from national data guardian Dame Fiona Caldicott and the Safe data, safe care report from the CQC.
The reviews were commissioned by the DH in September 2015 with a view to developing new data security standards, devising a method of testing compliance with those standards and proposing a new consent/opt-out model for data sharing.
The DH is now consulting on Dame Fiona’s proposed standards and consent/opt-out model. You can access the consultation here.
As a result of Dame Fiona’s review, NHS England has decided to scrap the controversial care.data programme because the proposed consent/opt-out model goes further than the approach planned for care.data.
Despite this, the DH has said it is still committed to ‘realising the benefits of sharing information as an essential part of improving outcomes for patients’. The National Information Board will now take forward this work ‘in close collaboration with the primary care community’.
What do the reports mean for practices?
Until the consultation is complete there will be no immediate changes, but it is highly likely the new standards and a new opt-out process will be adopted.
Below, Medeconomics explains what national data guardian Dame Fiona Caldicott has recommended and also what the CQC says providers need to do to ensure they protect personal data.
Practices can almost certainly expect a more rigorous assessment of their data security policies and procedures during a CQC inspection as a result of these reports.
What are the data security standards?
Dame Fiona Caldicott’s report makes 20 recommendations to improve data security in health and social care, along with setting out 10 new data security standards.
The proposed 10 new security standards are aimed at supporting rather than inhibiting data sharing. They are also designed to address the causes of existing data breaches and protect systems against future breaches.
The standards will apply to all health and social care organisations. When the standards are introduced, practices will be expected to demonstrate that they meet these standard through audit, which regulators such as the CQC will be able to check.
These are the proposed standards:
- All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes
- All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
- All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised IG Toolkit.
- Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
- Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
- Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
- A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
- No unsupported operating systems, software or internet browsers are used within the IT estate.
- A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
- IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.
Dame Fiona says that the way these standards are applied will vary depending on the size and type of organisation. She suggests that GP practices may need support from their system suppliers to identify and respond to cyber alerts.
What else has the national data guardian said?
Among her 20 recommendations, Dame Fiona also says that:
- Leaders of every organisation should demonstrate clear ownership and responsibility for data security
- The Information Governance (IG) Toolkit will be redesigned to reflect the new data standards and managers should use this to engage staff.
- Trusts and CCGs should use an appropriate tool to identify vulnerabilities such as dormant accounts, default passwords and multiple logins from the same account.
- All organisations should provide evidence they are taking action to improve cyber security, for example through the Cyber Essentials scheme.
- NHS England should change its standard financial contracts to require organisations to take account of the data security standards. If a provider does not meet the standards over a reasonable period, a contract should not be extended.
- Arrangements for internal data security audit and external validation should be reviewed and strengthened.
- The CQC should amend its inspection framework accordingly. HSCIC should use the redesigned IG Toolkit to inform the CQC of ‘at risk’ organisations.
- Where malicious or intentional data breaches occur, the DH should put harsher sanctions in place.
What is the new consent/opt-out model?
The new consent/opt-out model has been developed through work with the RCGP, BMA, Information Commissioner’s Office, Local Government Association, research organisations and charities. It aims to give people a clear choice about how their personal confidential data is used.
Dame Fiona has proposed a model that allows people to opt out of their confidential data being used for purposes beyond their direct care. This would apply unless there was a mandatory legal requirement or an overriding public interest.
Dame Fiona’s report suggests four different approaches that could be adopted to allow people to opt-out, but says extensive testing will be needed to find the right model before asking people to make this choice.
What does the CQC report say?
The CQC report is based on a review of 60 NHS providers sites, which included 22 GP practices. The report makes six recommendations that broadly follow Dame Fiona’s findings and provide an indication of what the CQC will be looking at during an inspection. These are:
- The leadership of every organisation should demonstrate clear ownership and responsibility for data security.
- All staff should be provided with the right information, tools, training and support to allow them to do their jobs effectively while still being able to meet their responsibilities for handling and sharing data safely.
- IT systems and all data security protocols should be designed around the needs of patient care and frontline staff to remove the need for workarounds, which in turn introduce risks into the system.
- Computer hardware and software that can no longer be supported should be replaced as a matter of urgency.
- Arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring financial integrity and accountability.
- CQC will amend its assessment framework and inspection approach to include assurance that appropriate internal and external validation against the new data security standards have been carried out, and make sure that inspectors involved are appropriately trained.
The CQC report provides more detail on what these recommendations will mean in practice and has said it will strengthen its existing key lines of enquiry on information governance.
The report also highlights what 'good' data security looks like under a series of headings including leadership, training, patient access to data, business continuity and data sharing. Practices can use these to assess where they might need to make improvements. You can read more about this here.