Transcription of Safe data, safe care - Care Quality Commission
1 safe data , safe care Report into how data is safely and securely managed in the NHS. JULY 2016. The care Quality Commission is the independent regulator of health and adult social care in England. Our purpose We make sure health and social care services provide people with safe , effective, compassionate, high- Quality care and we encourage care services to improve. Our role We register care providers. We monitor, inspect and rate services. We take action to protect people who use services. We speak with our independent voice, publishing regional and national views of the major Quality issues in health and social care . Our values Excellence being a high-performing organisation Caring treating everyone with dignity and respect Integrity doing the right thing Teamwork learning from each other to be the best we can b safe data , safe care .
2 S A F E D ATA , S A F E C A R E. Contents HOW WE CARRIED OUT THE REPORT INTO HOW data IS SAFELY AND SECURELY MANAGED IN THE NHS. 1. FOREWORD. Foreword Good information underpins good care . The National data Guardian was asked, as one aspect of the CQC-led review, to develop new Patient safety can only be assured when data security standards that can be applied to information is accessible, its integrity is protected all health and care organisations and, with CQC, against loss or damage, and confidentiality is to develop a method of assuring these new maintained. standards, as appropriate. Dame Fiona Caldicott data security should be treated very seriously. was also asked to make recommendations It has been an issue of national concern in the on a new consent model for sharing patient health sector for some years, but has now been information; informing the public how their data pushed to the forefront of the public's attention will be used and when they can opt out.
3 By a number of recent, high profile data breaches. In our review, we found that across the NHS. Reflecting the importance attached to data there is widespread commitment to keeping security, the Secretary of State for Health asked data secure, but effective action is not always CQC to do two things: being taken where necessary. While data , for the most part, is generally treated safely, NHS. 1. Review the effectiveness of current organisations remain vulnerable to potential risks. approaches to data security by NHS. organisations when it comes to handling We are clear that present data security systems patient confidential data , and make and processes need to be continuously and recommendations on how current actively reviewed so that they are resilient to arrangements for ensuring NHS providers current and future risks.
4 Protect personal data could be improved. 2. Make recommendations about how the new guidelines (published by the National data Guardian, Dame Fiona Caldicott) can be assured through CQC inspections, NHS. England commissioning processes, and any other potential mechanisms. 2 safe data , safe care . FOREWORD. We have been reassured to find, through this and ensure that the security of data systems is work and data recorded by the Health and Social proactively and regularly tested. Having the right care Information Centre, that there have been policies in place is not enough policies must very few attacks on health information systems. be tested, much like the frequent checks of fire Those that have occurred have targeted financial, alarms and practising the full evacuation of a not patient, data .
5 In addition, the total number building. The leadership of all NHS organisations of reported data breaches is proportionately needs to demonstrate clear ownership and very small: there were 533 in the year to 31 responsibility for data security, just as they May 2015, in the context of billion data should for clinical and financial management and transactions (excluding paper transactions) accountability. across the whole NHS network in the same Importantly, there should be no conflict between period.*. protecting and sharing data . While data must Even so, the review has found many instances of be handled securely, safety barriers must not poor practice, any of which could have led to a prevent information from being shared.
6 data breach. We are very grateful to all those who enabled us Complacency cannot be afforded. As confidential to conduct this review we visited 60 NHS sites data is held and accessed in fresh ways through across England, and staff at all levels in those new technology, the risks change and so must organisations gave their time to help us gather the response if both security and public trust are the data on which our work here is based. The to be maintained. generosity shown by healthcare staff, who shared their experiences and concerns, not only helped NHS organisations must take steps to understand us in this piece of work - it will also enable the their individual exposure to risk, and act to entire system to learn from their insights and so reduce it as a matter of priority.
7 Improve. There is a real need for the leadership of NHS. organisations from the lead partner in a small GP or dental practice to the chief executive David Behan and the board of a hospital trust to prioritise Chief Executive the safety and confidentiality of personal data , *All transactions across the NHS Spine, including 465 million NHS staff accessing and recording patient data , 193 million choose and book or e-referral transactions by patients. REPORT INTO HOW data IS SAFELY AND SECURELY MANAGED IN THE NHS. 3. SUMMARY. Summary This thematic review of data security was Common to all sectors and sizes of organisation conducted to establish whether personal health was the range of human behaviours that could and care information is being used safely and is inadvertently lead to data breaches.
8 As an appropriately protected in the NHS. example, a large hospital with diverse systems faced more difficulties than single-handed GPs, The review focused on patient data in the NHS. who were only working with a single system (we were not asked to include providers of adult and were therefore less likely to have to log social care ). We did not look at other areas of in and out of different systems to complete sensitive information such as HR or finance. a single task. As a result, such a GP practice We also excluded a detailed examination of was less likely to invent the kind of insecure IT systems, which was the subject of separate workarounds that we found in emergency care work carried out by the Health and Social care in large hospitals.
9 However, some small primary Information Centre (HSCIC). care practices were working with outdated, data security, in this review, is defined as: unsupported technology, and did invent their zz Availability how patient information is own insecure workarounds in response to the available to all those who need it to provide challenges they faced, for example, taking home care where and when it is needed. a system back-up in their bag, instead of backing up to a secure cloud (network of servers) or zz Integrity how patient information is other secure mechanism. protected from unauthorised alteration, damage and loss. zz Confidentiality how patient information is Key findings kept confidential: safe from access by those In the NHS organisations we reviewed, we found: without authorisation to read, see or hear it.
10 Zz There was evident widespread commitment We gathered the evidence for this review by to data security, but staff at all levels faced conducting staff interviews, observing practice significant challenges in translating their and examining documentation in NHS hospitals, commitment into reliable practice. GP surgeries and dental practices. We also zz Where patient data incidents occurred they asked staff in the sites we visited to take were taken seriously. However, staff did part in a confidential online survey, reviewed not feel that lessons were always learned or relevant literature, consulted an expert panel of shared across their organisations. stakeholders and talked to individual experts in the field.
