The CQC’s recent report Safe data, safe care looks at how data can be safely and securely managed in the NHS. The report was published at the same time as national data guardian Dame Fiona Caldicott released details of proposed new data security standards and a new consent/opt-out model.
The CQC report, which is based on a review of 60 NHS providers across England including 22 GP practices, aimed to look in detail at the underlying causes of risk.
The report comes up with six key recommendations and provides detail about what these will mean in practice. But it also highlights what it believes to be good practice in data security.
The CQC has said that it will strengthen its existing key lines of enquiry in relation to information governance. The ‘good’ steps it highlights in its report provides practices with an indication of what the CQC will expect to see during inspections.
What does good data security look like?
According to the CQC report, the following would be good practice in regard to data security.
Leadership and culture
- Effective leadership is visible and active, and demonstrates clear ownership of data security, just as it does for financial management and accountability.
- Leaders test and understand their organisation’s exposure to risk and the ways in which those risks are managed. They regularly seek out independent, external validation of their data security.
- Leaders of general practices, whose IT is often provided by external contractors, recognise that in outsourcing the supply of IT they have not outsourced their responsibility for data security as well.
- Leaders create and maintain a culture where data security is easier to maintain than not, even for front line staff under pressures. There is a culture where mistakes, near misses, and concerns are raised immediately by staff who are then recognised for helping to make the organisation safer.
- Training is mandatory and regularly refreshed for all staff, including those on temporary and agency contracts. It is tailored to the responsibilities of each staff group so that it is accessible and relevant, and has the greatest impact.
- Staff are trained in how to access and share data remotely, and what they can do safely when in environments that do not easily lend themselves to privacy.
- If staff are ever in doubt about an issue, their training equips them to find reliable guidance quickly and easily.
- Staff recruited to senior positions with significant responsibilities, such Caldicott Guardians, are also properly trained and their training is kept up to date with materials relevant to their roles.
Patient access to their own data
- Patients are well informed about their rights and staff are clear about what information they can and cannot share under different circumstances.
- Patients are advised about how to protect their own data when accessing it online or discussing it in places where confidentiality cannot be assured.
Staff access to records
- Access to confidential information is set according to what staff need in order to carry out their duties effectively and safely.
- Access to confidential data is withdrawn when staff move to different duties that do not require the same access, or when they leave the organisation.
- Attempts to log into secure systems are treated with caution and only authorised people gain access.
- Logins to systems are controlled by unique personal usernames and passwords and are changed frequently.
- Where smart cards are used, everyonehas their own. Agency and new staff are issued with their own cards as soon as they arrive, and all cards no longer needed are cancelled immediately.
Mobile and remote working
- Staff are provided with encrypted devices so that they can work safely and effectively anywhere on site, and off site whenever necessary.
- Staff are trained and supported to carry out their work securely without compromising their need to access data when and where needed.
- Taking every opportunity to learn and share from others facing similar challenges.
- Comparing performance with others as a way of stimulating innovation and maintaining continual improvement.
- Recognising and planning for all emergencies. Developing and practising detailed plans that enable services to continue for the needs of patients.
Control of removable records
- Removable records include paper, USB drives, CDs, DVDs, external hard drives and storage devices, and well-led organisations avoid any of these media being left unlocked and unattended at any time.
- Paper records are kept in locked cabinets, carried securely and not left in public areas. USB ports and CD or DVD drives are all locked away securely.
Ease of access to data
- Staff have secure access to patient data when and where necessary so that they can effectively treat each patient without delay.
- Data is shared quickly, effectively and safely with all those involved in the care of patients, including staff in different organisations.
- Staff understand the importance of sharing data and are assured that they can do so safely and securely.
- NHS organisations are supported to work together to agree common arrangements for data sharing.
- In safe, well-led organisations, IT systems are supported and maintained so that they are fit for purpose and are tested with the results being formally and regularly shared with the organisation’s leadership.
- Data security arrangements are designed around the needs of patient care and the responsibilities of front line staff.
- Plans are developed to maintain data security and effective access while supporting closer integration of health and social care.