Under the plans published by the DH and NHS England practices will be required to have a named partner or senior staff member who is responsible for data and cyber security.
The new requirements, published in October 2017, aim to ensure that all health and care organisations are implementing the 10 data security standards that were recommended by Dame Fiona Caldecott, the National Data Guardian in July 2016. The requirements set out the steps that practices should take in 2017/18 in order to meet the standards by next April.
The DH document says that practices must comply with the steps as ‘part of the data security and protection requirements’ set out in their contracts. However, it adds that some of the data security requirements will be implemented by their commissioning organisation.
From April 2018 the Information Governance Toolkit will change to become the Data Security and Protection Toolkit. This will assess how well organisations are implementing the 10 data security standards and meeting their statutory obligations on data security and data protection.
The CQC will also assess whether practices are following the requirements when it considers data security issues during its inspections, the document adds.
Under the new requirements, CCGs are expected to ensure IT delivery partners undertake on-site cyber and data security assessments in practices. Practices must fully support these assessments and comply with the agreed action plans as part of their CCG-practice agreement, the guidance says.
All staff must complete appropriate annual data security and protection training. Online training is available that replaces the previous information governance training and includes a new section on cyber security.
General Data Protection Regulation
The guidance also reveals that NHS Digital will be publishing a checklist to help practices implement the requirements of the new EU-wide General Data Protection Regulation, which comes into effect in May 2018 and replaces the Data Protection Act. Practices will be required to appoint a data protection officer as part of this.
Every practice must maintain a business continuity plan, which should include details of how it will respond to data and cyber security incidents.
Practices must also report data security incidents and near misses to CareCERT. GP IT services should help practices report and manage such incidents.
CCGs must ensure that IT delivery partners will maintain business continuity and disaster recovery plans for services provided to practices.
What else will CCGs be doing?
The new guidance also places new responsibility on CCGs to identify unsupported systems in practices, including software, harware and applications, and have a plan in place by April 2018 to 'remove, replace or actively mitigate and actively manage the risks' associated with these.
The 10 data standards
These are the 10 data standards recommended by the National Data Guardian for Health and Care that all health and care organisations are now required to follow.
- All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes
- All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
- All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised IG Toolkit.
- Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
- Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
- Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
- A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
- No unsupported operating systems, software or internet browsers are used within the IT estate.
- A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
- IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.