Boards required to designate executive with data security responsibility

Office meeting room

Every NHS board in England will be required to designate an executive board member responsible for data and cyber security, under government plans to bolster data security and increase cyber resilience across the health and care sector.

The move forms part of a new requirement for chief executives to issue an annual ‘statement of resilience’ detailing the action their organisation is taking to meet the ten data security standards recommended in Dame Fiona Caldicott’s review into data security, consent and opt-outs.

Your data: Better security, better choice, better care, the government’s response to the Caldicott review and Care Quality Commission's (CQC) review into data security, states:

“To ensure that the standards are being prioritised and implemented, in summer 2017, NHS Improvement will publish a new ‘statement of requirements’ which will clarify required action for local organisations, which chief executive officers must respond to with an annual ‘statement of resilience’, confirming essential action has been taken. 

“This will include the requirement for each organisation to have a named executive board member responsible for data and cyber security.”

Published on 12 July, the response also announced that investment in data and cyber security will be boosted above £50 million and the allocation of £21 million of capital funding to increase the resilience of major trauma sites “as an immediate priority.”

The measure follows the global WannaCry cyber security incident which affected NHS organisations in May 2017.

Other announcements include:

  • From September 2017, data security will form part of the CQC’s role in assessing how well-led NHS trusts are. GPs and adult social care providers will follow from November 2017, with CQC’s inspection framework to be further developed by April 2018.
  • The National Data Guardian’s position will be put on a statutory footing.
  • Stronger sanctions will be introduced by May 2018 to protect anonymised data, including severe penalties for negligent or deliberate re-identification of individuals.
  • The Network and Information Security Directive, to be implemented by May 2018, will give further legal backing to the ten data security standards by requiring those organisations identified as ‘operators of essential services’ to comply with defined security requirements.
  • The public will be able to choose if they wish to opt out nationally from March 2018.
  • Plans to give patients and the public more access to, and control over, their personal data.
  • A new Information Governance Toolkit will be in place by April 2018 and will incentivise organisations to report near-misses.

Download the document the Department of Health website.

Supporting you

For further information on data and cyber security, access the following resources:

Latest Tweets

Latest Blog Post

Why the CQC was warmly received by independent hospitals, despite the public glare of scrutiny | Dr Howard Freeman

18 / 4 / 2018 8.36am

Dr Howard Freeman considers the main takeaways from the quality regulator’s latest assessment of independent sector hospitals.

Why Register?

Great reasons to register with NHS Confederation

  • Access exclusive resources 
    Access member-only resources and tailor member benefits and services
  • Personalise your website
    Select topics of interest for recommended content
  • Comment and recommend
    Rate and share content with colleagues
  • Never miss a thing
    Register now to keep your finger on the pulse of the NHS Confederation

Log In

To book events and access member only content you need to register with us.  This only takes a moment via our registration page. If you have already registered login using your email address and password below.