Every NHS board in England will be required to designate an executive board member responsible for data and cyber security, under government plans to bolster data security and increase cyber resilience across the health and care sector.
The move forms part of a new requirement for chief executives to issue an annual ‘statement of resilience’ detailing the action their organisation is taking to meet the ten data security standards recommended in Dame Fiona Caldicott’s review into data security, consent and opt-outs.
Your data: Better security, better choice, better care
, the government’s response
to the Caldicott review and Care Quality Commission's (CQC) review into data security, states:
“To ensure that the standards are being prioritised and implemented, in summer 2017, NHS Improvement will publish a new ‘statement of requirements’ which will clarify required action for local organisations, which chief executive officers must respond to with an annual ‘statement of resilience’, confirming essential action has been taken.
“This will include the requirement for each organisation to have a named executive board member responsible for data and cyber security.”
Published on 12 July, the response also announced that investment in data and cyber security will be boosted above £50 million and the allocation of £21 million of capital funding to increase the resilience of major trauma sites “as an immediate priority.”
The measure follows the global WannaCry cyber security incident which affected NHS organisations in May 2017.
Other announcements include:
- From September 2017, data security will form part of the CQC’s role in assessing how well-led NHS trusts are. GPs and adult social care providers will follow from November 2017, with CQC’s inspection framework to be further developed by April 2018.
- The National Data Guardian’s position will be put on a statutory footing.
- Stronger sanctions will be introduced by May 2018 to protect anonymised data, including severe penalties for negligent or deliberate re-identification of individuals.
- The Network and Information Security Directive, to be implemented by May 2018, will give further legal backing to the ten data security standards by requiring those organisations identified as ‘operators of essential services’ to comply with defined security requirements.
- The public will be able to choose if they wish to opt out nationally from March 2018.
- Plans to give patients and the public more access to, and control over, their personal data.
- A new Information Governance Toolkit will be in place by April 2018 and will incentivise organisations to report near-misses.
Download the document the Department of Health website.
For further information on data and cyber security, access the following resources: