GP mythbuster 85: Data security and protection – expectations for general practice

Page last updated: 23 December 2022
Organisations we regulate

Patient safety can only be assured when information is accessible, its integrity is protected against loss or damage, and confidentiality is maintained.

We know from our 2016 Safe data, safe care review there is widespread commitment across the NHS to keeping data secure. Yet we found that effective action to keep data secure is not always being taken where necessary. While data is generally treated safely, NHS organisations remain vulnerable to potential risks.

Alongside CQC’s review, Dame Fiona Caldicott, the National Data Guardian, recommended ten data security standards. These aim to strengthen the safeguards for keeping health and care information secure.

Requirements for general practices

Data security and protection toolkit

All organisations that have access to NHS patient data and systems must use the data security and protection toolkit (DSPT) to measure and report on their performance.

This online self-assessment toolkit is only accessible to NHS organisations registered with the NHS Digital DSPT website. It replaces the information governance toolkit. DSPT incorporates Dame Fiona’s recommended data security standards and includes guidance on the evidence needed to meet each one.

Practices must submit their assessments by the end of March 2019.

General Data Protection Regulation (GDPR)

The DSPT is aligned to the new requirements of the General Data Protection Regulation (GDPR).Meeting the mandatory requirements of the DSPT will not, on its own, ensure practices are fully GDPR compliant.

Practices must understand their obligations under GDPR and continue to work towards achieving and maintaining compliance.

Guidance on GDPR compliance:

CQC inspections

All health and care organisations must assure themselves they are implementing the data security standards and meeting their statutory obligations on data protection and data security. This comes under well-led, key line of enquiry W6 “Is appropriate and accurate information being effectively processed, challenged and acted on?”

We do not directly assess GDPR compliance or make detailed, technical assessments of data security. Our inspectors will be interested in understanding how practices assure themselves they are meeting their responsibilities to protect patient data.

GP mythbusters