The Department of Health has issued guidance to health care organisations outlining the actions they should take to demonstrate they have implemented the 10 recommended data security standards.
The recommendations, by the National Data Guardian, apply for the 2017/18 tax year and affect all health care organisations. The standards have been introduced ahead of a new assurance framework due to come into force in April 2018.
The guidance, which is intended for general practices, social care providers and NHS providers, has sections related to people and processes within an organisation. It includes (among other things):
- Ensuring a named senior executive is responsible for data and cyber security at the organisation.
- Completing the Information Governance Toolkit v14.1 – organisations must still achieve at least level two on the current IG toolkit during 2017/18. The existing toolkit will be replaced by the new Data Security Protection toolkit from 2018/19, which will complement the 10 data security standards.
- That all staff must complete appropriate annual data security and operation training. The training replaces the previous Information Governance training and contains new cyber security sections.
- Completing the General Data Protection Regulations (EU) 2016/679 checklist. NHS Digital will issue a checklist to help organisations to implement the regulation’s requirements, which they must comply with from May 2018.
The guidance includes a separate section for measures that apply to general practices only.