Skip navigation

CQC report into how data is safely and securely managed in the NHS

Following a review looking at whether personal health and care information is being used safely and is appropriately protected in the NHS, the CQC has released Safe Data, Safe Care available here.  

The review focused on patient data in the NHS and found:

  • There was evident widespread commitment to data security, but staff at all levels faced significant challenges in translating their commitment into reliable practice.
  • Where patient data incidents occurred they were taken seriously. However, staff did not feel that lessons were always learned or shared across their organisations.
  • The quality of staff training on data security was very varied at all levels, right up to Senior Information Risk Owners (SIROs) and Caldicott Guardians.
  • Data security policies and procedures were in place at many sites, but day-to-day practice did not necessarily reflect them.
  • Benchmarking with other organisations was all but absent. There was no consistent culture of learning from others, and we found little evidence of external checking or validation of data security arrangements.
  • The use of technology for recording and storing patient information away from paper-based records is growing. This is solving many data security issues but, if left unimproved, increases the risk of more serious, large-scale data losses.
  • Data security systems and protocols were not always designed around the needs of frontline staff. This leads to staff developing potentially insecure workarounds in order to deliver good timely care to patients – this issue was especially evident in emergency medicine settings.
  • As integrated patient care develops, improvements must be made to the ease and safety of sharing data between services.
  • Successful data security demands engaged leadership and a culture of learning and sharing. Senior leadership teams must take data security seriously and ensure clear responsibilities for all members of staff.


The CQC has made 6 recommendations in the report:

  1. The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability.
  2. All staff should be provided with the right information, tools, training and support to allow them to do their jobs effectively while still being able to meet their responsibilities for handling and sharing data safely.
  3. IT systems and all data security protocols should be designed around the needs of patient care and frontline staff to remove the need for workarounds, which in turn introduce risks into the system.
  4. Computer hardware and software that can no longer be supported should be replaced as a matter of urgency.
  5. Arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring financial integrity and accountability.
  6. We'll amend our assessment framework and inspection approach to include assurance that appropriate validation against the new data security standards have been carried out, and make sure inspectors are appropriately trained.

Original source

Future related events:

Caldicott Guardian Training Course
Wednesday 21 September 2016 
Hallam Conference Centre, London

Clinical Audit for Improvement
Wednesday 5 October 2016 
The Studio Conference Centre, Birmingham

Caldicott Guardians: National Annual Conference
Thursday 6 October 2016 
The Studio, Birmingham

Caldicott Guardian Training Course
Friday 21 October 2016 
De Vere West One, London

Cyber Security in Healthcare: Assuring and securing information in the NHS
Monday 7 November 2016 
Hallam Conference Centre, London

Caldicott Guardian Training Course for Beginners
Tuesday 29 November 2016 
Hallam Conference Centre, London

National Data Security Standards for Health and Social Care
Friday 2 December 2016 
Hallam Conference Centre, London


1 August 2016


    Partner Organisations

    The Tavistock and Portman NHS Foundation TrustInPracticeClinical Audit Support CentrePlayoutJust For Nurses
    GGI (Good Governance Institute) accredited conferences CPD Member BADS (British Association of Day Surgery) accredited conferences