This site is intended for health professionals only

Government issues final guidance on new GP data protection requirements

Every practice will have to appoint a ‘senior employee’ to take on responsibility for data and cyber security according to new Government requirement.

The data security and protection requirements, published jointly by NHS England and the Department of Health earlier this week, set out the steps GPs are required to take by the end of 2017/18 to comply with data security standards.

The Department of Health has said the CQC will take into account how well practices are following these steps when assessing data security during inspections.

The DH already published a list of ten security standards against which the CQC will inspect practices, as part of a review of data security in the NHS earlier this year. 

The latest requirements ask that practices ‘have a named partner, board member or equivalent senior employee to be responsible for data and cyber security’.

The document adds that the CCG will provide ‘specialist support’ to the chosen practice employee but practices are accountable for their own data and cyber security.

The requirements also appoint CCGs to be responsible for ensuring that practices identify unsupported computer software and hardware.

The document asks CCGs to have a plan in place by April 2018 to ‘remove, replace or actively mitigate and actively manage the risks associated with, unsupported systems’.

The security requirements come after the National Audit Office found that 595 practices were locked out of their systems on 12 May, when they were infected by the malicious ‘WannaCry’ virus, which demanded a ransom before it could be unlocked.

MPs subsequently told the DH to ‘get serious’ about cyber security, after it had failed to make contingency plans for ensuring trusts could operate without their IT systems.