This site is intended for health professionals only


Data security

by James Wood
3 August 2015

Share this article

Keeping patients’ electronic records safe is vitally important considering the increasing instances of cyber hacking

As everyone working in the NHS understands, trust plays a huge role in the relationship with patients. Part of this trust is that they can share personal information with clinicians and NHS workers, and they can expect it to be kept private. Building and maintaining this trust is absolutely essential if, as a healthcare system, we are to make the very best use of the information we have available to benefit patient care and wellbeing.
The advice in this article is to help you do just that, and the good news is that there is lots of advice available should you need further information.


Your responsibilities and the law

A core part of making the best use of our information is the understanding of general practice and how the law works because each practice is classed as the ‘data controller’ (see Box 1) for the data that they collect and hold. This can be a very complex area, however, there are many sources of information and guidance that can help you make sure you remain compliant.


As data controller, general practices have duties under the Data Protection Act, which controls how you may obtain, record and hold the data, and how you may carry out any operation or set of operations on the information. It is very important that within your practice, members of staff are aware of their individual duties and that this is reinforced through training and awareness sessions.
A key resource for all organisations is the Information Commissioners Office (ICO) who provides many different materials to support you in understanding your roles and responsibilities. Fore more information about the Data Protection Act see resources.
In order to help NHS organisations ensure that they handle data appropriately, the Health and Social Care Information Centre (HSCIC) has produced Confidentiality: NHS Code of Practice (see resources) that sets standards that all NHS organisations should adhere to. This sets out the required standards of practice concerning confidentiality and patients’ consent to use their health records.
HSCIC has also produced an Information Governance (IG) Toolkit, which all organisations must complete, alongside appropriate online training. The IG Toolkit (see resources) is an online system that allows NHS organisations and partners to assess themselves against Department of Health Information Governance policies and standards. By completing the toolkit you can ensure that your practice has considered all of the key areas around the handling of patient information and that you comply with the standards set by law.

How to keep electronic information safe
Keeping electronic information safe is something that feels daunting for many practices, but in reality many of the principles that you apply are similar to those you would use for paper records. The main difference is that while you can physically dispose of a piece of paper and be confident that it has been effectively destroyed, to do the same with electronic records you might need to involve an expert.
The lifecycle of information can be very complicated but it is best to think in simple terms of: collect, store, process and dispose. Each of these steps has different requirements but this simple approach can help us all focus on meeting the expectations of patients and maintaining their trust.

Collecting information
GPs are at the forefront of collecting data about patients, any conditions and their overall wellbeing. As such, your practice has a key role in informing patients of the importance of their data and what you are doing to protect it. One of the main things patients need to know is that they can request to see what data you hold about them through filling in a subject access request. For more information about this, see resources.
You have a responsibility to ensure that the data you record is accurate and that you only keep it for as long as it is needed. Adoption of standards in the software you use and how you collect it are very important, especially in driving data quality and consistency across the wider system. HSCIC supports the system through the development and publication of information standards and we support the Standardisation Committee for Care Information (SCCI) process for the benefit of the whole system.
Collection is the crucial first step. In my development days it was always the most important part of our considerations for a system as everything else can be affected if your collection isn’t spot on. It is really encouraging to see practices adopting standard processes and quality checks for the data they are collecting.

Storing electronic information
Once the data is collected, the ongoing storage and maintenance continues to be very important. You need to be confident that the software, hardware and services you use meet appropriate security standards.
The easiest way for a general practice to achieve this is to use a trusted supplier to manage this on your behalf. Choose a supplier who can help with both software and hardware management, and who
use industry tested software and services.
There is a burgeoning marketplace of service suppliers who can provide secure, managed and updated solutions to meet your business needs. It is becoming increasingly difficult to justify the cost and risk of running your own system.
The GP Systems of Choice Framework (GPSoC) has been developed by HSCIC and provides a contractual framework to supply IT systems and services to general practices and associated organisations in England. Services on the framework have been through appropriate assurance and testing. For more information see resources.
You also need to ensure you have appropriate anti-virus programmes on all of your devices. Don’t try to do this yourself. Patient data needs to be protected with high standards of security and that requires expert advice.

Processing electronic information
Making best use of information and ensuring we can share information appropriately enables practices to deliver the best patient focused services possible. Processing information is about how you use and look after data, and the importance of following good practice and process to safeguard it.
HSCIC has a range of national systems that are set up to support NHS organisations to be able to safely and securely store their information. The Care Identity Service (CIS) is one of the world’s largest secure identity services.
Access is controlled through NHS smartcards and ensures that employees can only access appropriate information that they need for their role. Keep your smartcard secure and don’t share your passcode with anybody else.
NHSmail is a secure email service. It is accredited to government official sensitive status, approved by the Department of Health and endorsed by professional bodies, for the purpose of sharing patient identifiable and other sensitive information. For more information about NHSmail see resources.
But often it is the simplest things that can catch us all out. Making staff aware of basic principles such as not storing documents locally, locking your screen when away from your desk and checking the recipient of a sensitive email can all make a difference.

Destroying/disposing of electronic information
Rules about retention of records are complex and depend on individual circumstances. If you are at all unsure about whether you need to destroy or retain information then refer to the IG Toolkit or the ICO for guidance.
As a general rule you should only keep hold of information for as long as it is required and you should destroy electronic and paper records promptly.
But how do you effectively destroy electronic records? It is difficult to delete information completely and to guarantee that this has been successful you should use a reputable company, which meets the government’s Communications-Electronics Security Group (CESG) (national technical authority for information) standards. CESG is a government service that evaluates and certifies the level of trust that may be placed in IT security features. For more information on CESG see resources.
We have all heard nightmare stories about data going missing or being found on disk drives bought from online auctions. Using an accredited provider and following some simple process steps can minimise the chances of something going wrong and an organisation potentially being fined by the ICO.
You also need to bear in mind that when you upgrade to new computer devices you need to ensure that the old ones have been effectively wiped clean and contain no sensitive data. Again, your IT service provider should be able to do this for you. When you do need to dispose of information it is crucial that you keep an appropriate audit trail. You need to receive a data deletion certificate from your supplier that highlights what was destroyed and when; how it was destroyed and why.
You should carefully file each and every data deletion certificate that you receive as these are your evidence that you dealt appropriately with the records.
HSCIC has produced best practice guidance for the destruction and deletion of data (see resources).

Your crucial role
General practices and other NHS organisations are at the front line of delivering care.
The NHS could not operate effectively if patients didn’t trust it to manage their confidential information and the staff delivering the high standards of care and support to patients are our most important asset. Part of HSCIC’s job is to make sure those staff have the right support mechanisms in place to feel confident in their crucial role.
There are many examples of fantastic approaches to security, confidentiality and IG Toolkit, and one of my criteria for success is in making sure HSCIC continues to support you by being a centre of excellence for information and cyber security for the whole system.
When patients place their trust in the NHS, they are actually placing their trust in the staff that deliver their care. So your role in protecting their information is crucial, but HSCIC and others are there to produce national systems and guidance to support you to meet these responsibilities.

James Wood, chief information and security officer, Health and Social Care Information Centre.

Resources
Key definitions of the data protection act
ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/
Confidentiality: NHS Code of Practice
systems.hscic.gov.uk/infogov/codes/confcode.pdf
IG Toolkit
www.igt.hscic.gov.uk/
Subject access request

ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/subject-access-request/
GP systems of choice
systems.hscic.gov.uk/gpsoc
NHSmail
systems.hscic.gov.uk/nhsmail
CESG
www.cesg.gov.uk
Destruction and disposal of sensitive data
systems.hscic.gov.uk/infogov/security/infrasec/gpg/dadosd.pdf/view