I am today publishing the Government response to the public consultation on the National Data Guardian for Health and Care’s (NDG) and Care Quality Commission’s (CQC) data security reviews. A copy of the response is attached and available at https://www.gov.uk/government/consultations/new-data-security-standards-for-health-and-social-care
Boosting cyber resilience, improving the response to data and cyber incidents and providing clarity on the handling of personal data remain an urgent priority for the health and care sector.
Following consultation which closed on 7 July 2016, the Government accepts the recommendations from the two independent data security reviews published in 2016.
Through the consultation, we heard broad support for Dame Fiona Caldicott’s recommended data security standards and opt-out model, alongside a clear message that we need to carefully think through and approach all elements of implementation. Other key themes in the responses to the consultation related to the need to build public trust through providing clarity and communicating clearly with the public and professionals.
The global WannaCry ransomware attack in May 2017, which affected many other countries’ services as well as our own health and care system, has reaffirmed the potential for data and cyber incidents to impact directly on patient care, as well as the need for our health and care system to act decisively to minimise the impact on essential front-line services.
The Government response includes wide-ranging plans to strengthen organisations across the NHS and social care against the threat of global cyber-attacks.
The immediate and longer-term actions are centred on ensuring local organisations are implementing the 10 data security standards proposed in the NDG review, supported by the national cyber support services provided by NHS Digital, backed up by clear contractual obligations, and by assurance and regulatory action.
Investment in data and cyber security will be boosted above £50 million and will include a new £21 million capital fund which will increase the cyber resilience of major trauma sites.
NHS Digital is already supporting local organisations by broadcasting alerts about cyber threats, providing a hotline for dealing with incidents, sharing best practice across the health and care system and carrying out on-site assessments to mitigate against cyber security.
The NHS contract now requires NHS organisations to implement and adopt data security standards as recommended by the independent NDG for Health and Care.
Chief executives will also be held to account for standards that are being implemented and maintained and this will be assessed during inspections by the Care Quality Commission from September this year.
The Government’s response also includes steps to give patients and the public more access to, and control over, their personal data while building confidence in the importance of secure data to provide better individual care and treatment, as well as supporting research and planning across the health system.
As the Chief Medical Officer’s recent report on genomics showed, better use of data and technology has the power to improve health outcomes, deliver better patient experience, transform the quality of care patients receive and support improvements across the health and social care system – now and in the future. Staff and patients will benefit from reduced bureaucracy, freeing up more time for patient care, and leading to more accurate diagnoses and more personalised treatment.
I want to thank Dame Fiona Caldicott, her team and the Care Quality Commission for their important and considered reviews and recommendations, which can be found at:
This statement has also been made in the House of Commons: