Review by Care and Quality Commission looking at whether personal health and care information is being used safely and is appropriately protected in the NHS. | CQC
This CQC review focused on patient data in the NHS.
In the NHS organisations reviewed, the CQC found:
- There was evident widespread commitment to data security, but staff at all levels faced significant challenges in translating their commitment into reliable practice.
- Where patient data incidents occurred they were taken seriously. However, staff did not feel that lessons were always learned or shared across their organisations.
- The quality of staff training on data security was very varied at all levels, right up to Senior Information Risk Owners (SIROs) and Caldicott Guardians.
- Data security policies and procedures were in place at many sites, but day-to-day practice did not necessarily reflect them.
- Benchmarking with other organisations was all but absent. There was no consistent culture of learning from others, and we found little evidence of external checking or validation of data security arrangements.
- The use of technology for recording and storing patient information away from paper-based records is growing. This is solving many data security issues but, if left unimproved, increases the risk of more serious, large-scale data losses.
- Data security systems and protocols were not always designed around the needs of frontline staff. This leads to staff developing potentially insecure workarounds in order to deliver good timely care to patients – this issue was especially evident in emergency medicine settings.
- As integrated patient care develops, improvements must be made to the ease and safety of sharing data between services.