Public Services > Central Government

DH publishes data security actions required to implement NDG recommendations

David Bicknell Published 30 October 2017

Document sets out the steps all health and care organisations must take in 2017/18 to demonstrate they are implementing ten data security standards recommended by the National Data Guardian

 

The Department of Health and NHS England has published a document outlining action expected from health and care organisations in 2017 to 2018, to implement data security and protection recommendations by the National Data Guardian. 

The document sets out the steps all health and care organisations will be expected to take in 2017/18 to demonstrate that they are implementing the ten data security standards recommended by the National Data Guardian, and provides further details regarding the new assurance framework that is coming into place from April 2018.

Then, the new Data Security and Protection Toolkit (DSP Toolkit) will replace the Information Governance Toolkit (IG Toolkit) and form part of a new framework for assuring that organisations are implementing the ten data security standards and meeting their statutory obligations on data protection and data security. Further information on the new assurance framework, which will build on these requirements

The document reiterates that both the ten data security standards, and the 2017/18 requirements, apply to all health and care organisations. It adds that when considering data security as part of the ‘well led’ element of their inspections, the Care Quality Commission (CQC) will look at how organisations are assuring themselves that the steps set out in this document are being taken.

‘NHS providers’ i.e. organisations contracted to provide services under the NHS Standard Contract (NHS providers) must also comply with the requirements set out in the document, as part of the data security and protection requirements set out in that contract. At the end of the 2017/18 financial year NHS Improvement will ask NHS providers to confirm that they have implemented the requirements set out in this document. In the longer term NHS Improvement will ensure that data security is included in their oversight arrangements.

General Practices and Practitioners, contracted to provide primary care essential services to a registered list under the NHS standard General Medical Services (GMS) contract (or Personal Medical Services (PMS) or Alternative Provider Medical Services (APMS) contracts), must also comply with the requirements set out in the document, as part of the data security and protection requirements set out in their contract.  Some requirements will also be implemented by the commissioner of the GP IT & GP Information Governance Support Service (Clinical Commissioning Group (CCG) or NHS England Regional) on their behalf, the document said.

For social care providers, who do not provide NHS care through the NHS Standard Contract, there are no obligations to implement the requirements set out in the document in this financial year. However, the document points out, “it is highly recommended that social care organisations follow these steps in preparation for the new regulatory framework from April 2018 onwards.”

Part A of the document sets out the steps that all health and care organisations are required to take in 2017/18 to implement the data security standards, with the requirement grouped under people, process and technology. Part B sets out how these requirements apply to general practices.

The document makes under clear under the People requirements that there must be a named senior executive to be responsible for data and cyber security in the organisation, ideally the Senior Information Risk Owner (SIRO), and where applicable a member of your organisation’s board.

In 2017/18, organisations will still required to achieve at least level two on the current Information Governance Toolkit before it is replaced with a new approach (the new Data Security and Protection Toolkit), from 2018/19 onwards, to measuring progress against the 10 data security standards.

They will also have to complete a General Data Protection Regulation (GDPR) checklist. NHS Digital will publish the checklist to support organisations in implementing the requirements of GDPR) which they will be required to comply with from May 2018. The document points out that organisations must complete the checklist to ensure they will be able to meet their legal obligations from May 2018.

The document says all staff must complete appropriate annual data security and protection training.

Under Processes, there will be an obligation to act on CareCERT advisories with organisations told they must:

  • Act on CareCERT advisories where relevant to their organisation;
  • Confirm within 48 hours that plans are in place to act on High Severity CareCERT advisories, and evidence this through CareCERT Collect; and  
  • Identify a primary point of contact for the organisation to receive and coordinate the organisation’s response to CareCERT advisories, and provide the information through CareCERT Collect.








We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.