Practices have until the end of the 2017/18 financial year to meet 10 data security standards recommended by national data guardian Dame Fiona Caldicott in July last year. Guidance published this week set out steps practices should take to meet the standards.
The guidance says that practices must comply as ‘part of the data security and protection requirements’ set out in their contracts. However, it adds that some of the requirements will be implemented by their commissioning organisation.
The CQC will assess whether practices are following the standards when it considers data security during its inspections.
From 2018/19 the Information Governance Toolkit, which lists governance standards that practices currently are required to meet, will be replaced by a ‘new approach to measure progress against the 10 data security standards’. GP information governance services will be commissioned and made available to support practices in this, the new advice says.
Practices will also have to complete a checklist, due to be published by NHS Digital, to ensure that they are correctly implementing the new EU-wide General Data Protection Regulation, which comes into effect in May 2018 and replaces the Data Protection Act. As part of this, practices will need to appoint a data protection officer.
The DH guidance also says that CCGs will have ensure that IT suppliers undertake ‘on-site cyber and data security’ assessments in all supported practices. Practices will be required to comply with the agreed action plans ‘to meet their responsibilities described in the CCG-Practice Agreement’.
CCGs are also expected to identify any ‘unsupported systems’ in practices, which includes software, hardware and applications, and have a plan in place to ‘replace or actively mitigate and actively manage the risks associated’ with these.
Practices will be required to maintain a business continuity plan that includes details of how it plans to respond to data and cyber security incidents. They must also report data security incidents and near misses to CareCERT, the document says.
The 10 data standards
These are the 10 data standards recommended by the National Data Guardian for Health and Care that all health and care organisations are now required to follow.
- All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes
- All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
- All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised IG Toolkit.
- Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
- Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
- Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
- A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
- No unsupported operating systems, software or internet browsers are used within the IT estate.
- A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
- IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.