Skip navigation

PUBLISHED TODAY: National Data Guardian for Health and Care: Review of Data Security, Consent and Opt-out

Dame Fiona Caldicott, the National Data Guardian for Health and Care (NDG), today publishes recommendations to strengthen the security of health and care information secure and to help the public make informed choices about how their data is used.

This review by the National Data Guardian for Health and Care (NDG), Dame Fiona Caldicott, makes recommendations of ten new data security standards to apply to all organistaions which hold health or care information to the Secretary of State for Health. These are aimed at strengthening the safeguards for keeping health and care information secure and ensuring the public can make informed choices about how their data is used.

Dame Fiona is calling on leaders of health and social care organisations to demonstrate clear accountability and responsibility for data security, just as they do for clinical and financial management and accountability.

The NDG proposes new data security standards for the NHS and social care, a method for testing compliance against the standards, and a new opt-out to make clear how people’s health and care information will be used and in what circumstances they can opt out.

Dame Fiona’s report argues that the public should be engaged about how their information is used and safeguarded, and the benefits of data sharing, with a wide-ranging consultation on her proposals as a first step.

Dame Fiona is clear that it will be important to hear the views of patients, health and care professionals, researchers, commissioners and others in this consultation and beyond. We hope you will be able to play your part.

Review of data security, consent and opt-outs

The Review Recommends: “All health and social care organisations should provide evidence that they are taking action to improve cyber security; …  a strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework”. The review states that “as systems became more digital, breaches could affect greater numbers of people and the external cyber threat is becoming a bigger consideration… The Review heard that in most cases, breaches or cyber-attacks are unwittingly facilitated by the behaviour of employees who can be classed as ‘non-malicious insiders’, primarily motivated to get their job done and often working with ineffective technologies or processes… Beyond human error, the Review found that the main threat to the public and private sectors is from basic cyber-attacks, which use hacking tools that can be purchased readily and cheaply online and exploit publicly known vulnerabilities. Recent observations report significant increases in the volumes and sophistication of unsolicited emails in global circulation, many containing ‘malware’ or hidden software, designed to cause harm, by exploiting unmanaged technical weaknesses and/or human naivety”.

Future events of interest: 

Caldicott Guardian Training Course
Wednesday 21 September 2016, Friday 21 October 2016 and Wednesday 7 December 2016
Hallam Conference Centre, London

Caldicott Guardians: National Annual Conference
Thursday 6 October 2016 
The Studio, Birmingham

Cyber Security in Healthcare: Assuring and securing information in the NHS
Monday 7 November 2016 
Hallam Conference Centre, London

6 July 2016


    Partner Organisations

    The Tavistock and Portman NHS Foundation TrustInPracticeClinical Audit Support CentrePlayoutJust For Nurses
    GGI (Good Governance Institute) accredited conferences CPD Member BADS (British Association of Day Surgery) accredited conferences