Check the way you handle personal information meets the right standards

Page last updated: 26 April 2022
Organisations we regulate

There are some rules you must follow when you handle personal data. These are set out by GDPR and the National Data Guardian's 10 data security standards. There's a free toolkit you can use to help you meet them.

General Data Protection Regulation (GDPR)

GDPR is the law that tells you what you must do when you handle personal data (information about people). It came into effect in England and the EU in May 2018, alongside the new Data Protection Act 2018.

All organisations that collect or use personal data must comply with GDPR. Some of the things you must to do meet it are:

  • process the least possible amount of personal data
  • only keep it for as long as you need to
  • carry out assessments to make sure you process personal data in a lawful way
  • take the right steps to protect data and identify risks to privacy
  • consider if the person whose data you want to collect needs to give their consent
  • understand and respect the rights of the person whose data you are collecting
  • decide if you need to appoint a data protection officer
  • be transparent and open about the processing of personal data
  • report any security breaches

These are examples of what GDPR covers. It's important to read the full guide to GDPR on the ICO's website.

The Information Governance Alliance has published guidance on GDPR. Their guidance gives extra information aimed at health and social care organisations.

The National Data Guardian's standards

The National Data Guardian's 10 standards tell you how to protect confidential personal data and handle it securely. They include:

  • only sharing data for 'lawful and appropriate' reasons
  • making sure your staff get regular training in data security
  • only letting people have access to personal information if they need it for their job
  • having a plan for what to do if there's a threat to data security
  • not using older software that's unsupported – this means it no longer gets technical support from the manufacturer
  • having a strategy for protecting your IT systems – you must base this on a proven framework like Cyber Essentials
  • having contracts with IT suppliers that hold them to account for the way they handle your information and making sure they meet the National Data Guardian's standards

It's important to understand the full set of standards. They're set out in the National Data Guardian's review of data security, consent and opt-outs.

The Data Security and Protection Toolkit

You can use the NHS Digital Data Security and Protection Toolkit to measure if you meet the National Data Guardian's standards and GDPR. It'll help you find out what do if there are any standards you do not meet.

Who should use the toolkit

All care providers who work under the NHS Standard Contract must register with the toolkit. The government recommends all other adult social care providers register too.

Find out about the Data Security and Protection Toolkit and create your account.

Other codes of practice

NHS Digital publishes a set of codes of practice that explain what to do in particular areas.

They include codes for:

  • records management: this tells you how long you should keep different types of health and social care records
  • confidential information.

All health and social care services must ‘have regard’ to these two codes. This means you must follow them unless you have a good reason not to. For example, if you have a different way of handling these things that's just as effective.