Infrastructure > Devices

CQC revamps health and social care data security guidance

Neil Merrett Published 06 July 2016

Organisational review establishes new guidelines around leadership, IT systems design and removing outdated systems to tackle threat of data breaches and information loss


The Care Quality Commission (CQC) has set out six recommendations to be undertaken by health and care organisations across the UK in order to protect systems against potential data breaches and ensure patient information remains confidential.

According to the commission's findings, clear organisational leadership on who leads data security, training and the availability of required tools, as well as a need to move away from outdated technology are some of the key recommendations.

The CQC paper has been released the same day as the publication of a review by National Data Guardian Dame Fiona Caldicott around overhauling models for patient consent around using and sharing data beyond direct care.

The outcome of the review, which called for a new consultation on how to inform and grant patients clearer control of their own information, will involve gathering wider opinions of the public and healthcare professionals.

Under the terms of its review, the CQC said it had not undertaken an examination of IT systems as this was the subject of a separate Health and Social Care Information Centre (HSCIC) review.

However, the commission said it defined data security around how patient information is available when needed for care, how it is protected from damage or loss and the methods for keeping it confidential and free from unauthorised tampering.

"We gathered the evidence for this review by conducting staff interviews, observing practice and examining documentation in NHS hospitals, GP surgeries and dental practices," said the report. "We also asked staff in the sites we visited to take part in a confidential online survey, reviewed relevant literature, consulted an expert panel of stakeholders and talked to individual experts in the field."

The CQC report identified the following recommendations:

- Health and care organisations should have defined ownership for data security as is seen for clinical and financial management
- Staff must be provided with required training, tools and support to ensure the safe handling of data
- IT systems and data security should be designed to meet the needs of patients and frontline care staff
- Hardware and software that is no longer supported should be urgently replaced
- Data security strategies should be regularly audited and open to external validation
- The CQC should overhaul its assessment framework and inspection requirements and appropriately train inspectors against the new security standards

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.