This review looked at whether personal health and care information is being used safely and is appropriately protected in the NHS.
What we looked at
The review focused on patient data in the NHS (we were not asked to include providers of adult social care). We did not look at other areas of sensitive information such as HR or finance.
We also excluded a detailed examination of IT systems, which was the subject of separate work carried out by the Health and Social Care Information Centre (HSCIC).
Data security, in this review, is defined as:
- Availability – how patient information is available to all those who need it to provide care where and when it is needed.
- Integrity – how patient information is protected from unauthorised alteration, damage and loss.
- Confidentiality – how patient information is kept confidential: safe from access by those without authorisation to read, see or hear it.
We gathered the evidence for this review by conducting staff interviews, observing practice and examining documentation in NHS hospitals, GP surgeries and dental practices. We also asked staff in the sites we visited to take part in a confidential online survey, reviewed relevant literature, consulted an expert panel of stakeholders and talked to individual experts in the field.
What we found
In the NHS organisations we reviewed, we found:
- There was evident widespread commitment to data security, but staff at all levels faced significant challenges in translating their commitment into reliable practice.
- Where patient data incidents occurred they were taken seriously. However, staff did not feel that lessons were always learned or shared across their organisations.
- The quality of staff training on data security was very varied at all levels, right up to Senior Information Risk Owners (SIROs) and Caldicott Guardians.
- Data security policies and procedures were in place at many sites, but day-to-day practice did not necessarily reflect them.
- Benchmarking with other organisations was all but absent. There was no consistent culture of learning from others, and we found little evidence of external checking or validation of data security arrangements.
- The use of technology for recording and storing patient information away from paper-based records is growing. This is solving many data security issues but, if left unimproved, increases the risk of more serious, large-scale data losses.
- Data security systems and protocols were not always designed around the needs of frontline staff. This leads to staff developing potentially insecure workarounds in order to deliver good timely care to patients – this issue was especially evident in emergency medicine settings.
- As integrated patient care develops, improvements must be made to the ease and safety of sharing data between services.
Successful data security demands engaged leadership and a culture of learning and sharing. Senior leadership teams must take data security seriously and ensure clear responsibilities for all members of staff.
What we recommend
We have made six recommendations in our report.
The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability.
2. Information, tools and training
All staff should be provided with the right information, tools, training and support to allow them to do their jobs effectively while still being able to meet their responsibilities for handling and sharing data safely.
3. IT systems
IT systems and all data security protocols should be designed around the needs of patient care and frontline staff to remove the need for workarounds, which in turn introduce risks into the system.
4. Outdated technology
Computer hardware and software that can no longer be supported should be replaced as a matter of urgency.
5. Audit and validation
Arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring financial integrity and accountability.
6. CQC assessment
We'll amend our assessment framework and inspection approach to include assurance that appropriate validation against the new data security standards have been carried out, and make sure inspectors are appropriately trained.