As head of data security at NHS Digital, people think my job is about systems and technology. It isn’t. My job is about building public trust, and about supporting others within health and care to do the same.
I am here to put patient care first, just like frontline organisations who deliver that care, and I would urge every organisation I work with to focus widely on building and maintaining public trust, rather than solely on security.
I am unrelenting in my belief that one way we can improve patient outcomes is through digital patient information. This move to digital, which is happening across all aspects of our lives, can help to transform health and care, but it needs to have the right safeguards and controls in place.
The government has just published its response to the National Data Guardian Review on data security, opt-outs and consent, which endorses a set of new data security standards for health and care.
10 standards to underpin safe data sharing
The standards exist to help organisations to safely share information appropriately and to ensure that they understand their responsibilities for keeping information safe. Additionally, the standards provide a supporting framework to ensure that information remains secure and to act as a set of guiding principles for health and care organisations.
The standards are common sense, but when they are looked at in the round, they are more about maintaining trust than focussing on in-depth security principles or overly technical comprehension. This is exactly as it should be if these standards are to become an integral part of the way health and care organisations operate.
Just consider standards 1 and 2.
Data Security Standard 1. All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes
Data Security Standard 2. All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
The focus is on how we handle information, understanding our responsibilities and ensuring we avoid breaches. The other eight standards continue this theme and they will help to drive an enhanced culture of data security across the health and care system.
I entirely support the content and intention of the standards, but they will not in themselves drive improvement and they should not be seen in isolation or in a silo. Instead they need to be seen as a key part of a system-wide, integrated approach to realising the recommendations of the National Data Guardian Review.
So how does this work in practice, and how are central NHS organisations helping care providers to apply the standards?
New and refreshed IG Toolkit to address cyber security
Firstly, these standards will form the heart of the new and refreshed IG Toolkit which will be launched later in 2017. The toolkit will ensure the data standards are met and is designed to take into account both physical and cyber security.
The new toolkit will also align with the Care Quality Commission’s increased role in assuring data security as part of their Well-led assessments. This ‘joined-up’ approach is fundamental to ensuring the standards help us build confidence that not only do we secure patient information, but that also we understand its value and importance.
But in developing this project, we have been mindful of the fact that this cannot just be another thing for providers to do. Having worked in the NHS across multiple providers of care I understand increased burden is not welcome. It is crucial that the standards and the toolkit have real meaning and deliver demonstrable value to care providers. With this in mind, all of the partners involved have ensured that these standards replace or remove burden.
Reducing the burden of IG reporting
During the coming year it will become clearer how the new IG toolkit will enable organisations to meet the standards, while focussing on reducing effort but driving value. Similarly, we are working across the system to identify how we can collect information once and use many times, rather than asking organisations within health and care to continue to supply information multiple times for multiple purposes.
I personally welcome the government response on the data security elements of the review and the work going on across the system to ensure these can be embedded. Their adoption is a signal to patients and the public as a whole on our commitment to protect their data.
They are a part of an overall approach to enhancing data security and I look forward to talking more about the wider initiatives as the year progresses. In the interim, the Data Security Centre and it’s CareCERT service, is there to help and support organisations to develop their security and information assurance.
Whilst we are here to help and support, we also know that we can always improve, and we want to actively work with health and care organisations to ensure that our services are designed around user and patient need, and are built iteratively, as part of a wider and continuing conversation about data security.