- Posted Monday November 6, 2017
Last week NHS England revealed that the Information Governance (IG) Toolkit will be replaced in April 2018. This is part of a new approach to measuring progress against 10 data security standards for general practice set out by Dame Fiona Caldicott. We’ve picked out some key information for primary care managers about the IG toolkit and its replacement!
The new requirements state that all GP practice in England must name a partner, board member or equivalent senior employee as being responsible for data and cyber security in the practice. This will also need to be implemented by April 2018, when the new Data Security and Protection Toolkit (DSP Toolkit) replaces the Information Governance Toolkit (IG Toolkit).
Practices will need to implement these changes to meet the data security and protection requirements set out in their contract. The CQC will monitor how closely practices follow the 10 standards as part of their inspection process, considering it as part of the ‘Well Led’ element of their inspections.
The 10 data security requirements have been recommended by Dame Fiona Caldicott, the National Data Guardian for Health and Care. Here’s a closer look at the standards and what they mean for general practices:
All staff ensure that all personal confidential data is handled, stored and transmitted securely. Personal confidential data is only shared for lawful and appropriate purposes.
All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their personal accountability for deliberate or avoidable breaches.
All staff complete appropriate annual data security training and pass a mandatory test.
Personal confidential data is only accessible to staff who need it for their current role. All access to personal confidential data on IT systems can be attributed to individuals.
Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses.
Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss.
A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum.
No unsupported operating systems, software or internet browsers are used within the IT estate.
A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
Suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standard.
For GP practices, some requirements will be implemented by the commissioner of the GP IT & GP Information Governance Support Service (Clinical Commissioning Group (CCG) or NHS England Regional) on their behalf.
For more information, take a look at the DoH document 2017/18 Data Security and Protection Requirements. Do you think these changes will lead to improvements? Let us know your thoughts in the comment section below.