This site is intended for health professionals only

CQC to inspect data security in GP practices

7 July 2016

Share this article

Inspections by the Care Quality Commission (CQC) will now include data security audits, after the health secretary approved new security standards yesterday.

Jeremy Hunt, the secretary of state for health, commissioned two data reports last year, one from the CQC to review existing levels of data security across the NHS and the other from the National Data Guardian (NDG) to recommend new data security standards for health and social care.

The recommendations from the CQC report, Safe data, safe care, advise “strengthened” data security auditing in all health care settings.

It also recommends, “clear ownership and responsibility for data security” to the standard of clinical and financial management and accountability.

The CQC also said in its list of recommendations that it would begin inspecting data security against “the new data security standards” set out in the NDG report.

The 10 new data security standards outlined in the NDG report include identifying and addressing risks such as default passwords, dormant accounts and unsupported operating systems.

David Behan, chief executive of the CQC, said: ”The ability of NHS organisations to access and share patient information is crucial to the delivery of safe, effective care.

“But without robust processes, there’s a risk that information may be compromised, may not be accessible when it’s needed, or may not be kept confidential.

He added: “CQC has set out six recommendations aimed at improving arrangements for protecting personal data, and assuring the new standards proposed by the National Data Guardian. These recommendations focus on three main themes that are fundamental to the secure handling of data: people, processes and technology.

“Ultimately, however, it is for NHS leaders to demonstrate clear ownership and responsibility for data security, just as they do for clinical and financial management and accountability.”

Other standards include ensuring “that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form”.

Furthermore: “All access to personal confidential data on IT systems can be attributed to individuals.”

The NDG report, Review of Data Security, Consent and Opt-Outs, also recommends an extensive dialogue with the public about how their healthcare information is used and the benefits of data sharing. 

The report highlights the little public awareness of how this information is used.

To facilitate awareness, the report recommends a new opt-out to make it clear to patients how their information can be used and when they can opt out of it being shared.

Research in the review found that people tend to support their information being used where they can see the benefit, but want to be given a choice.

Dame Fiona Caldicott, national data guardian, said: ”My recommendations centre on trust. Building public trust for the use of health and care data means giving people confidence that their private information is kept secure and used in their interests.

“Citizens have a right to know how their data is safeguarded. They should be included in conversations about the potential benefits that responsible use of their information can bring.”