This site is intended for health professionals only

At the heart of general practice since 1960

pul jul aug2020 cover 80x101px
Read the latest issue online

Independents' Day

Prepare for 'strengthened' inspections into data security, CQC tells GPs

GP practices should prepare for more stringent CQC inspections says the regulator, after new data security standards were approved by the health secretary today.

CQC's says that GP practices will undergo 'strengthened' inspections on information governance, with practices having to 'demonstrate clear ownership and responsibility for data security'.

The CQC says practices’ data security will be audited to the same level as their clinical and financial standards.

Ten new data security standards have been recommended by the National Data Guardian Dame Fiona Caldicott in a report provisionally accepted in full by health secretary Jeremy Hunt today.

Dame Fiona also recommends that NHS England reviews the long-shelved project for sharing patient information.  

If it goes ahead it should do so under a more stringent patient opt-out system, which gives patients choice over having their data shared for purposes unrelated to their direct care

The CQC report says that:

  • Practice audits should be in place to ensure new data security standards are met 
  • Every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability;
  • Arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring financial integrity and accountability;
  • It will amend its inspections to include assurance that appropriate validation against the new data security standards have been carried out, and make sure inspectors involved are appropriately trained.

Dame Fiona's report calls for a ‘much more extensive dialogue’ with the public about how their data is shared and suggests a new model of patient consent. This would allows patients to opt out of either of the following, or both:

  • Personal confidential information being used to provide local services and run the NHS and social care system (For example, by NHS commissioners or providers to assess the standards of services)
  • Personal confidential information being used to support research and improve treatment and care (For example, a university or commercial organisation using NHS data for health research)

The report marks a watershed for the project, which has been put on hold until after Dame Fiona's review. Her report has been approved in principle by Mr Hunt today and will now be part of a consultation and testing on the proposed standards.

In a joint letter to Mr Hunt, Dame Fiona and CQC chief executive David Behan said: 'Whilst for the most part, personal data is generally managed securely in the NHS, organisations must show leadership in prioritising its accessibility, integrity and confidentiality, and ensuring that the security of data systems is proactively and regularly tested.'

Dame Fiona added: ‘Citizens have a right to know how their data is safeguarded. They should be included in conversations about the potential benefits that responsible use of their information can bring. They must be offered a clear choice about whether they want to allow their information to be part of this.'

She also said she would like to see NHS England taking a decision on the future of before Mr Hunt launches his consultation into the new standards.

RCGP honorary secretary Professor Nigel Mathers said: 'What is essential is that patients understand how and when information about their health - anonymised or not - is being used, and that they are confident it will be kept secure. This way, the trust patients have in their GP will be maintained.'

Dame Fiona was appointed after NHS England halted to 'build awareness' among the public, after promotional materials were labelled too complex and went unreceived by two-thirds of households.

It was later revealed that more than a million people who had opted out of record sharing were continuing to have their information shared because the original opt out, if implemented, would have prevented them receiving invitations for NSH screening services.

The National Data Guardian report says: 'Due to this need for strong leadership in data security, the Review has set out 10 data security standards clustered under three leadership obligations to address people, process and technology issues.'

It said these would:

  • Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
  • Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
  • Ensure technology is secure and up-to-date.'

Read the 10 proposed standards in full here

Readers' comments (19)

  • What does this mean?

    Can we have some simple English? What is it that practices have to do?

    Unsuitable or offensive? Report this comment

  • basically it will be another tick box online module that we will have to do - probably 80 pages long with a questionnaire at the end which we will all rush through to do in 20mins and forget what it said the next day. we will of course get a certificate which will be filed to show the cqc on their next visit ...

    basically it's worrying about the colour of paint the titanic is in and misses the wider problems we are having but hey it keeps a lot of folks in jobs so can't be bad?

    Unsuitable or offensive? Report this comment

  • As with a number of things coming from the DoH, this is a good idea in principle but who is going to pay for better, more secure technology?

    Match the good ideas with the resources to do the job and you're on to a winner. An idea with no resources is just another stick to beat GP practices with!

    Unsuitable or offensive? Report this comment

  • Before the finger is pointed at GP Practices with regard to data security, maybe someone ought to look a little further (Capita) and ask where all the missing GP records are and what is being done about their security!

    Unsuitable or offensive? Report this comment

  • The Health Secretary has approved higher data security standards?
    Did the BMA approve them too, or are they not part of the contract?
    In any case, practices canot show ownership of the IT and data any longer, as they no longer 'own' it, it is 'owned' and hosted elsewhere by IT companies.
    And as to checks of financial standards, well, I am not sure anyone ever did this, or would be entitled to, as practices are independent private busineses - they certainly seem to have missed a few things in the past if they were checking! Even things that practices have brought to attention of LHBs.

    Unsuitable or offensive? Report this comment

  • I thought most of the lapses have occured outside GP practices.
    Are the CQC going to address this ????
    If they dont care about the lack of funding in primary care causing the problems -I couldn't care less about them

    Unsuitable or offensive? Report this comment

  • Cobblers

    "The beatings will continue (worsen) until morale improves."

    Show me the evidence that GPs have a data security issue? None? I thought not. Civil Servants probably. Politicians definitely. Yet another knife in the GPs back.

    Unsuitable or offensive? Report this comment

  • When is someone going to start resisting this rubbish on our behalf?

    Who speaks for us? And who listens?

    I despair.

    Unsuitable or offensive? Report this comment

  • And they say there is a "war on workload". Sigh.

    Unsuitable or offensive? Report this comment

  • I thought that this was why we complete the Information Governance Toolkit every year ?
    We really don't need CQC getting in on the act.

    Unsuitable or offensive? Report this comment

View results 10 results per page20 results per page

Have your say