12 / 07 / 2016
Focus on: data security
Care Quality Commission and National Data Guardian, 6 July 2016
The CQC and Dame Fiona Caldicott, the national data guardian, have published complementary reports regarding data security in the NHS. The latter’s review has prompted the DH to launch a nine-week consultation on the proposed new set of standards and new consent/opt-out model. This summary will focus primarily on the recommendations of each report, which overlap in some areas (to the extent that the wording is identical), while also highlighting other key points.
Sixty NHS sites were involved in the CQC’s report, including 18 NHS trusts and 22 GP practices, with a range of evidence gathered such as staff interviews, practice observation and document reviews. While “evident widespread commitment to data security” was found, the document highlights a number of concerns covering “leadership, behaviours and systems”, including: inconsistencies around learning lessons; variable staff training, even in some cases for SIROs and Caldicott Guardians; disconnect between policies and practice; and systems and protocols “not always designed around the needs of frontline staff”, plus “most notably in hospital trusts” around service user needs too.
The regulator is clear that improvements to guidance in this area are required and that “responsibility for data security sits with providers”, emphasising the significance of “visible leadership” and “strong culture” to ensure the necessary support and assurance is in place. Points worthy of note from the six recommendations are covered below:
- The CQC advocates that leaders “should demonstrate clear ownership and responsibility for data security”, equivalent to that for finance and quality within their organisations. Testing and internal audit of security arrangements should test efficacy and every organisation “should secure external audit of other validation” for their processes. Among other areas that leaders are encouraged to focus on are the establishment of a “learning, not blaming culture” and ensuring named people are responsible and accountable “for all aspects of data security.”
- Staff should universally have access to the “right information, tools, training and support”, including mandatory and regularly refreshed training on data security. Staff should all be provided with effective guidance on how to raise concerns about potential breaches. An updated Information Governance Toolkit should enable HSCIC and NHS England to identify providers in need of support. Local and regional data sharing should be underpinned by common procedures.
- Systems and protocols need to be developed with the needs of patients and staff at the forefront. All organisations are urged to undertake a “comprehensive review” of existing arrangements for managing patient data, which would in turn “inform a strategy to simplify and clarify” systems. Moreover staff should be involved in the planning of new or replacement systems and organisations should produce a clear plan for managing transitions from old to new. Procurement should be in line with common standards.
- NHS England and HSCIC should clarify dates beyond which outdated and unsupported hardware and software should not be utilised.
- Internal audit and external validation should both be evaluated and enhanced where necessary. Organisations should implement the National Data Guardian data security standards (once finalised) and commissioners are also advised to “re-consider contracts with providers who, after a reasonable period” are deemed to “continue to present risks to their patients and other providers” in relation to data security.
- CQC will amend its inspection framework in order to take greater account of information governance and to seek assurance around internal and external validation against the standards.
Dame Fiona Caldicott has bemoaned the “little positive change in the use of data across health and social care” since her 2013 Information Governance Review, while also striking a note of optimism by pointing to the “very significant opportunity…to improve the use of data in people’s interests, and ensure transparency for the public.” The National Data Guardian (NDG) review also emphasises the importance of leadership to this agenda, with a plea that “people’s confidential data should be treated with the same respect as their care.” A new set of 10 data security standards for health and social care are proposed for consultation, which are “intended to support rather than inhibit data sharing” and encompass the following three “leadership obligations”:
- People – all staff need to: “ensure that personal confidential data is handled, stored and transmitted securely”; be aware of their responsibilities under the new standards; and complete data security training annually.
- Process – this covers the following: personal confidential data should only be available to staff who need it for a particular role; processes should be subject to at least annual review; senior management should receive reports within 12 hours of any data breach or near miss; and continuity plans are required to ensure effective response to security threats.
- Technology – organisational leaders should ensure: no unsupported technology is utilised across their IT estate; a strategy subject to at least annual review is developed to protect IT systems from cyber threats; and IT suppliers are held to account regarding data protection and complying with the security standards.
Meanwhile, in relation to consent and opt-outs, the NDG acknowledges that “the laws and procedures are difficult for the experts to understand, let alone the patients and service users.” It is also accepted that the “case for data sharing still needs to be made to the public” and the Review determined that an opt-out should be offered for “personal confidential data being used for purposes beyond their direct care unless there is a mandatory legal requirement or an overriding public interest.” This model, which it is argued “would mark a significant step forward in allowing patients to understand and shape the use of their health and social care information” is also to be subject to consultation.
The NDG Review contains twenty recommendations in all, some of which mirror precisely those contained in the CQC report. Among those not already referred to above are the following:
- HSCIC is tasked with working with regulators to “ensure that there is coherent oversight of data security across the health and care system.”
- The Government is urged to evaluate the introduction of more robust sanctions to help protect anonymised data.
- HSCIC should produce a tool that enables people to gain understanding of how sharing their data has made a positive contribution for others.
- The National Information Board should work on increasing public trust in data sharing across the health and care system.