Safe data, safe care

Published: 6 July 2016 Page last updated: 12 May 2022

Image of some patient records in a filing cabinet

This review looked at whether personal health and care information is being used safely and is appropriately protected in the NHS.

What we looked at

The review focused on patient data in the NHS (we were not asked to include providers of adult social care). We did not look at other areas of sensitive information such as HR or finance.

We also excluded a detailed examination of IT systems, which was the subject of separate work carried out by the Health and Social Care Information Centre (HSCIC).

Data security, in this review, is defined as:

  • Availability – how patient information is available to all those who need it to provide care where and when it is needed.
  • Integrity – how patient information is protected from unauthorised alteration, damage and loss.
  • Confidentiality – how patient information is kept confidential: safe from access by those without authorisation to read, see or hear it.

We gathered the evidence for this review by conducting staff interviews, observing practice and examining documentation in NHS hospitals, GP surgeries and dental practices. We also asked staff in the sites we visited to take part in a confidential online survey, reviewed relevant literature, consulted an expert panel of stakeholders and talked to individual experts in the field.

What we found

In the NHS organisations we reviewed, we found:

  • There was evident widespread commitment to data security, but staff at all levels faced significant challenges in translating their commitment into reliable practice.
  • Where patient data incidents occurred they were taken seriously. However, staff did not feel that lessons were always learned or shared across their organisations.
  • The quality of staff training on data security was very varied at all levels, right up to Senior Information Risk Owners (SIROs) and Caldicott Guardians.
  • Data security policies and procedures were in place at many sites, but day-to-day practice did not necessarily reflect them.
  • Benchmarking with other organisations was all but absent. There was no consistent culture of learning from others, and we found little evidence of external checking or validation of data security arrangements.
  • The use of technology for recording and storing patient information away from paper-based records is growing. This is solving many data security issues but, if left unimproved, increases the risk of more serious, large-scale data losses.
  • Data security systems and protocols were not always designed around the needs of frontline staff. This leads to staff developing potentially insecure workarounds in order to deliver good timely care to patients – this issue was especially evident in emergency medicine settings.
  • As integrated patient care develops, improvements must be made to the ease and safety of sharing data between services.

Successful data security demands engaged leadership and a culture of learning and sharing. Senior leadership teams must take data security seriously and ensure clear responsibilities for all members of staff.

What we recommend

We have made six recommendations in our report.

Leadership icon

1. Leadership

The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability.

Tools icon

2. Information, tools and training

All staff should be provided with the right information, tools, training and support to allow them to do their jobs effectively while still being able to meet their responsibilities for handling and sharing data safely.

IT systems icon

3. IT systems

IT systems and all data security protocols should be designed around the needs of patient care and frontline staff to remove the need for workarounds, which in turn introduce risks into the system.

Outdated technology icon

4. Outdated technology

Computer hardware and software that can no longer be supported should be replaced as a matter of urgency.

Audit and validation icon

5. Audit and validation

Arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring financial integrity and accountability.

CQC assessment icon

6. CQC assessment

We'll amend our assessment framework and inspection approach to include assurance that appropriate validation against the new data security standards have been carried out, and make sure inspectors are appropriately trained.


Find out more...

You can read our policy statement on information security and governance below.

Policy statement: Information security and governance

You can also read the joint letter from our chief executive, David Behan, and the National Data Guardian, Dame Fiona Caldicott, to Jeremy Hunt setting out the findings and recommendations of our work.

Data security review: Letter to Secretary of State

Letter to NHS trusts

In May 2016, we wrote to all NHS trusts to update them on the progress of this review. A copy of this letter is available below.

Data security review: Letter to NHS trusts