Digital Health Legal
Back to Contents

Volume: 4 Issue: 8
(August 2017)

government accepts caldicott cqc recommendations uk government published response recommendations made national data guardian dame fiona caldicott (‘ndg)


Share This Page

Government accepts Caldicott and CQC recommendations

The UK Government published its response to the recommendations made by the National Data Guardian, Dame Fiona Caldicott (‘NDG’), and the Care Quality Commission (‘CQC’) on 12 July 2017, in relation to the data security, opt-out and consent policies for health data within the UK’s health and social care system. The response document, ‘Your Data: Better Security, Better Choice, Better Care,’ sets out the UK Government’s intention to uphold all the recommendations made by the NDG in the ‘Review of data security, consent and opt-outs’ and by the CQC in its ‘Safe data, safe care: data security’ review.

The NDG’s review criticised the NHS’ current data security, recommending that the NHS’ Information Governance Toolkit be updated and that it integrates the NDG’s set of ten ‘data security standards.’ These standards include access being restricted to ‘personal confidential data’ to all but those who need it only for as long as they need it, identifying and responding to cyber attacks as soon as possible with the advice of CareCERT, making breach reports within 12 hours of detection, and holding IT suppliers accountable via contracts for protecting the personal confidential data they process. “The standards recommended by the NDG seem robust,” said Valerie Surgenor, Partner at MacRoberts, who adds however that they “seem very ambitious to implement and continually monitor. For example ‘standard 3’ says that all staff should complete annual training and pass a mandatory test - what would happen if a large number of staff failed this?”

The UK Government states that ‘a framework will be in place to support organisations to move to the latest operating system by March 2018,’ in response to the CQC noting that the NHS’ use of outdated, unsupported systems poses data security vulnerabilities. The CQC further commented that human activity, such as working around system rules in an insecure way in order to improve efficiency, was also a major cause of data insecurity. The CQC recommended that, in addition to redesigning IT systems and data protocols around the needs of patient care, ‘all staff should be provided with the right information, tools, training and support to allow them to do their jobs effectively while still being able to meet their responsibilities for handling and sharing data safely.’

The Government has announced an initial £21 million increase to the £50 million investment in data and cyber security already being provided to the NHS, to increase the cyber resilience of major trauma sites as an immediate priority, and to improve NHS Digital’s national monitoring and response capabilities.

The NDG also made recommendations relating to consent, transparency regarding the use of citizens’ health data, and the use of opt-out models. The Government has agreed inter alia to implement a revised consent/opt-out model ‘to allow people to opt out of their personal confidential data being used for purposes beyond their direct care’ and to roll out an online service for citizens to ‘see more clearly how their data collected by NHS Digital has been used for purposes other than their direct care’ by March 2020. “The new system points towards a more ‘user preference’ type of data management for data subjects, which seems positive,” said Surgenor. “Education will be key to ensuring patients understand.”

Search Publication Archives

Our publication archives contain all of our articles.
Can’t find what you are looking for?
Try an Advanced Search

Log in to digital health legal
Subscribe to digital health legal
Register for a Free Trial to digital health legal
digital health legal Pricing

Social Media

Follow digital health legal on TwitterView digital health legal LinkedIn Profiledigital health legal RSS Feed