This site is intended for health professionals only

At the heart of general practice since 1960

pul jul aug2020 cover 80x101px
Read the latest issue online

Independents' Day

Government issues final guidance on new GP data protection requirements

Every practice will have to appoint a ‘senior employee’ to take on responsibility for data and cyber security according to new Government requirement.

The data security and protection requirements, published jointly by NHS England and the Department of Health earlier this week, set out the steps GPs are required to take by the end of 2017/18 to comply with data security standards.

The Department of Health has said the CQC will take into account how well practices are following these steps when assessing data security during inspections.

The DH already published a list of ten security standards against which the CQC will inspect practices, as part of a review of data security in the NHS earlier this year. 

The latest requirements ask that practices ‘have a named partner, board member or equivalent senior employee to be responsible for data and cyber security’.

The document adds that the CCG will provide ‘specialist support’ to the chosen practice employee but practices are accountable for their own data and cyber security.

The requirements also appoint CCGs to be responsible for ensuring that practices identify unsupported computer software and hardware.

The document asks CCGs to have a plan in place by April 2018 to ‘remove, replace or actively mitigate and actively manage the risks associated with, unsupported systems’.

The security requirements come after the National Audit Office found that 595 practices were locked out of their systems on 12 May, when they were infected by the malicious ‘WannaCry’ virus, which demanded a ransom before it could be unlocked.

MPs subsequently told the DH to ‘get serious’ about cyber security, after it had failed to make contingency plans for ensuring trusts could operate without their IT systems.

Readers' comments (3)

  • Dear All,
    Hmm, you might have imagined they might have discussed this declaration with us beforehand?
    Well for the record I was not involved.
    Dr Paul Cundy
    IT policy lead for the GPC.
    GMC 2582641

    Unsuitable or offensive? Report this comment

  • Neil Bhatia

    The IG lead for any practice is really going to have his/her hands full come next April - this, DPBill, GDPR....

    Unsuitable or offensive? Report this comment

  • Usual NHS practice -- any complex, timeconsuming or difficult requirements - delegate it to those on the front line.

    Unsuitable or offensive? Report this comment

Have your say