Digital Health Legal
Back to Contents

Volume: 4 Issue: 11
(November 2017)

uk department health publishes 2017/18 data security protection requirements uk department health (‘doh published 2017/18 data security protection requirements

UK England

Share This Page

UK Department of Health publishes 2017/18 Data Security and Protection Requirements

The UK Department of Health (‘DOH’) published the 2017/18 Data Security and Protection Requirements (the ‘Requirements’) on 30 October 2017, which set out the steps all health and care organisations will be expected to take in order to demonstrate that they are putting into practice the ten data security standards recommended by the National Data Guardian in the ‘National Data Guardian for Health and Care’s Review of Data Security, Consent and Opt-Outs.’

The measures that all health and care organisations will be required to take include: naming a senior executive responsible for data and cyber security in the organisation, completing the Information Governance Toolkit v14.1 before it is replaced by the new Data Security and Protection Toolkit, completing a GDPR checklist that will be published at a later date by NHS Digital, implementing ‘appropriate’ annual data security and protection training for all staff, acting on CareCERT advisories and reporting incidents to CareCERT in line with its guidelines, implementing a plan to respond to data and cyber security incidents, having a plan in place by April 2018 to ‘remove, replace or actively mitigate or manage the risks associated with unsupported systems,’ undertaking on-site assessments at the request of NHS Digital, and checking the certification of IT systems suppliers.

“The Requirements outline some high-level principles that the majority of organisations will to some degree already consider to be good practice,” said Nicola Fulford and Dan Whitehead of Kemp Little. “But without a considerable amount of further guidance being published on how to achieve the Requirements, it may be difficult for health and care organisations to develop the knowledge and experience to make the necessary improvements that are required. We would hope that this document is therefore only seeking to formalise and publicise the broad policies that are already being implemented across the NHS.” Fulford and Whitehead add that “the primary purpose of the Requirements is to protect patient data which is also protected by the current UK Data Protection Act and the upcoming GDPR. Although the Requirements will assist with complying with the GDPR, which comes into effect in May next year, they are insufficient in themselves. The Requirements indicate that a more detailed GDPR checklist will be published at some point in the future by NHS Digital, but with only months to go before the Regulation takes effect, health organisations are going to struggle to take all of the steps that are necessary in time.”

The DOH announced in the Requirements that a new Data Security and Protection Toolkit will replace the current Information Governance Toolkit in April 2018; the new Toolkit represents a new approach for organisations with which to measure their progress against the ten data security standards. The Data Security and Protection Toolkit is listed under the ‘Key Dates’ section of the Requirements as due to be piloted in November 2017, before access to the new Toolkit is provided to all organisations from January 2018 so that they can ‘familiarise themselves with the approach to measuring implementation and compliance and consider how they might apply to their organisation from 2018.’

Separately, the National Audit Office (‘NAO’) published its Report on 27 October 2017 following its investigation into the NHS’s response to the WannaCry attack that affected the NHS in May 2017, disrupting at least 34% of NHS trusts in England. Although the Report states that the DOH and NHS England do not know the full extent of the disruption on the NHS, the key findings of the Report include that the DOH was warned about the risk of cyber attacks on the NHS a year before WannaCry, that the DOH had developed a plan, which included roles and responsibilities of national and local organisations for responding to a cyber attack, but had not tested the plan at a local level, and that because the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response. The NAO’s Report lists the lessons to be learned from the attack, which includes that relatively simple action could have been taken to protect NHS organisations from WannaCry and states that the NHS has accepted that there are lessons to learn and is taking action.

“I was shocked at the disjointed nature of the NHS in terms of its cyber security and the Report shows that even now much of the data as to the full impact of the attack is seemingly lost or unavailable,” explains Dan Hyde, Partner at Penningtons Manches LLP. “It is arguably better not to have any breach response plan than one that is merely a box ticking exercise that leads to complacency and increased confusion when the attack hits.” Hyde concludes that the NHS’s acceptance that lessons are to be learnt from WannaCry is “meaningless unless there is proper realistic incident response testing and the NHS addresses its fragmentation issues so that there are not silos that are a weak link through which the system can be attacked.”

Search Publication Archives

Our publication archives contain all of our articles.
Can’t find what you are looking for?
Try an Advanced Search

Log in to digital health legal
Subscribe to digital health legal
Register for a Free Trial to digital health legal
digital health legal Pricing

Social Media

Follow digital health legal on TwitterView digital health legal LinkedIn Profiledigital health legal RSS Feed