This site is intended for health professionals only


Prepare for ‘strengthened’ inspections into data security, CQC tells GPs



GP practices should prepare for more stringent CQC inspections says the regulator, after new data security standards were approved by the health secretary today.

CQC’s says that GP practices will undergo ‘strengthened’ inspections on information governance, with practices having to ‘demonstrate clear ownership and responsibility for data security’.

The CQC says practices’ data security will be audited to the same level as their clinical and financial standards.

Ten new data security standards have been recommended by the National Data Guardian Dame Fiona Caldicott in a report provisionally accepted in full by health secretary Jeremy Hunt today.

Dame Fiona also recommends that NHS England reviews the long-shelved care.data project for sharing patient information.  

If it goes ahead it should do so under a more stringent patient opt-out system, which gives patients choice over having their data shared for purposes unrelated to their direct care

The CQC report says that:

  • Practice audits should be in place to ensure new data security standards are met 
  • Every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability;
  • Arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring financial integrity and accountability;
  • It will amend its inspections to include assurance that appropriate validation against the new data security standards have been carried out, and make sure inspectors involved are appropriately trained.

Dame Fiona’s report calls for a ‘much more extensive dialogue’ with the public about how their data is shared and suggests a new model of patient consent. This would allows patients to opt out of either of the following, or both:

  • Personal confidential information being used to provide local services and run the NHS and social care system (For example, by NHS commissioners or providers to assess the standards of services)
  • Personal confidential information being used to support research and improve treatment and care (For example, a university or commercial organisation using NHS data for health research)

The report marks a watershed for the care.data project, which has been put on hold until after Dame Fiona’s review. Her report has been approved in principle by Mr Hunt today and will now be part of a consultation and testing on the proposed standards.

In a joint letter to Mr Hunt, Dame Fiona and CQC chief executive David Behan said: ‘Whilst for the most part, personal data is generally managed securely in the NHS, organisations must show leadership in prioritising its accessibility, integrity and confidentiality, and ensuring that the security of data systems is proactively and regularly tested.’

Dame Fiona added: ‘Citizens have a right to know how their data is safeguarded. They should be included in conversations about the potential benefits that responsible use of their information can bring. They must be offered a clear choice about whether they want to allow their information to be part of this.’

She also said she would like to see NHS England taking a decision on the future of care.data before Mr Hunt launches his consultation into the new standards.

RCGP honorary secretary Professor Nigel Mathers said: ‘What is essential is that patients understand how and when information about their health – anonymised or not – is being used, and that they are confident it will be kept secure. This way, the trust patients have in their GP will be maintained.’

Dame Fiona was appointed after NHS England halted care.data to ‘build awareness’ among the public, after promotional materials were labelled too complex and went unreceived by two-thirds of households.

It was later revealed that more than a million people who had opted out of record sharing were continuing to have their information shared because the original opt out, if implemented, would have prevented them receiving invitations for NSH screening services.

The National Data Guardian report says: ‘Due to this need for strong leadership in data security, the Review has set out 10 data security standards clustered under three leadership obligations to address people, process and technology issues.’

It said these would:

  • Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
  • Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
  • Ensure technology is secure and up-to-date.’

Read the 10 proposed standards in full here