(Time to read: 7 minutes)
While much has been written and said about the EU’s General Data Protection Regulation (GDPR), the compliance deadline for which is 25 May this year, GP practice managers need to be aware of another set of data security requirements – which need to be met by April.
The ‘2017/18 Data Security and Protection Requirements’ mean that all health and care organisations will be expected to take steps to implement 10 data security standards recommended by the National Data Guardian. From April 2018 the new Data Security and Protection Toolkit (DSP Toolkit) replaces the Information Governance Toolkit (IG Toolkit). It will form part of a new framework for assuring that organisations are implementing the 10 data security standards and meeting their statutory obligations on data protection and data security.
The reality of the regulations
Firstly, it’s worth pointing out that the regulations will become part of the CQC inspections. When considering data security as part of the ‘well led’ element of their inspections, the Care Quality Commission will look at how organisations are assuring themselves that the steps set out are being taken.
General Practices, contracted to provide primary care essential services to a registered list under GMS, PMS or APMS, must comply with the requirements, as part of the data security and protection requirements set out in that contract. That said, some requirements will be fulfilled by CCGs or NHS England Regional on behalf of practices.
What do you need to do?
With the above in mind, what do the regulations actually mean for practices and what do practice managers need to do ahead of the April deadline?
First of all, it’s worth familiarising yourself with the 10 standards. We’ve produced a handy, downloadable document, which can be accessed here.
Otherwise, key points of interest that practice managers need to be aware of, broken down into the separate sections of the policy document are:
Senior level responsibility: Each practice must have a named partner, board member or equivalent senior employee to be responsible for data and cyber security in the practice. The CCG as commissioner will be responsible for providing specialist support to this role but each practice remains accountable.
Completing the Information Governance Toolkit v14.1: Each practice remains accountable and responsible for completing the current GP IG Toolkit with a recommendation that practices attain level two as a minimum. From 2018/19 onwards, it will be replaced with a new approach to measure progress against the 10 data security standards. The commissioned GP IG services are available to support practices in this. The locally commissioned GP IT Delivery partner will also be contractually required to complete the current IG toolkit to at least level two for their organisation and the services delivered under the GP IT contract.
Complete the GDPR Checklist: NHS Digital will publish a checklist to support public authority organisations (including general practices) in implementing the requirements of GDPR which they will be required to comply with from May 2018. General Practices should complete this checklist to ensure they will be able to meet their legal obligations from May 2018. Each general practice will be accountable and responsible for completing this, including the appointment of a Data Protection Officer (DPO). More information on GDPR can be found here.
Training Staff: Each general practice is accountable for ensuring all staff complete appropriate annual data security and protection training. Online training is available. This training replaces the previous Information Governance training while retaining key elements of it and adding a new section on cyber security. More information can be found at https://www.elfh.org.uk/programmes/data-security-awareness/
Continuity planning: Each General Practice is required to continue to maintain a business continuity plan, which will include the response to data and cyber security incidents.
Reporting incidents: Each general practice is accountable for ensuring data security incidents and near misses are reported to CareCert in line with reporting guidelines. Practices will be supported by the commissioned GP IT and GP IG services in the reporting and managing of the incident.
Unsupported technology: CCGs must ensure for all supported general practices the following:
- Identify unsupported systems (including software, hardware and applications); and
- Have a plan in place by April 2018 to remove, replace or actively mitigate and actively manage the risks associated with, unsupported systems.
NHS Digital good practice guidance on the management of unsupported systems can be found here.
On-site technology assessments: CCGs must ensure the commissioned GP IT delivery partner carries out the following for all supported general practices and GP IT infrastructure. General practices are required to fully support such assessments.
Checking IT supplier certification: All parties who commission or procure IT Systems i.e. individual general practices, CCG, GP IT Delivery Partners and NHS Digital (GPSOC) will ensure that any supplier of IT Services, infrastructure or systems used in general practice have the appropriate certification. CCGs will ensure commissioned GP IT services include access to specialist technical advice for IT procurement.
Between now and the April regulation deadline, further support will be issued to practices. All organisations will be given access to the new Data Security and Protection Toolkit from later in January 2018 (although Practice Index has been told that this could slip to February, subject to the completion of testing) to familiarise themselves with the approach to measuring implementation and compliance and consider how they might apply to their organisation from April 2018.
Then, in April 2018, further guidance will be published to help practices use the new Data Security and Protection Toolkit, as the regulations come into force.
When preparing for the new regulations, you may consider that you need to increase your organisation’s understanding of data and cyber security. The ‘10 Steps to Cyber Security’ pages on the National Cyber Security Website may prove helpful here.
Data security and data sharing is a hot topic – and will continue to be so over the coming months – so keep an eye on Practice Index for more information.
Are you confident you’ll be able to meet the upcoming security regulations? Are there any areas you’re unsure about? Let us know by commenting below, drop us an email or ask your fellow PMs on the forum here.
Trending topics in the forum: