Health & social care organisations, trust and data security


In June 2016 the National Data Guardian for Health and Care, Dame Fiona Caldicott, published her report ‘Review of Data Security, Consent and Opt-Outs’. This addresses the question of what more can be done to build trust in how the NHS and social care services look after people’s confidential data and use it appropriately.

This report is about trust. It addresses the question of what more can be done to build trust in how the NHS and social care services look after people’s confidential data and use it appropriately and focuses particularly on two aspects of people’s trust by looking at:

  • Whether data security is good enough
  • The basis upon which information is shared.


The report says that there is evidence that shows that although people trust the NHS to protect information there are cases where that trust has been eroded by data breaches, such as when emails containing sensitive information have been sent to the wrong address, data is shared without consent, or people experience their records being misplaced or lost.

Whilst acknowledging that most organisations are concerned about data security, it recognises that there are problems involving people, processes and technology and says that “Data is not always adequately protected and individuals and organisations are not consistently held to account”. Examples are given of poor practice including confidential papers being stored in unlockable cabinets, faxes being sent to the wrong number and the use of unencrypted laptops

The report says that when it comes to data security leadership is crucial and that where that responsibility is only one part of someone’s job, and not prioritised, data security can suffer. It also says “internally, data breaches are often caused by people who are finding workarounds to burdensome processes and outdated technology, and may have a lack of awareness of their responsibilities”.


Perhaps unsurprisingly the report says that properly trained and well-motivated staff are essential and that annual role-appropriate training should be mandatory for all who work in health and social care, (with bespoke additional training for people in leadership roles) ,


The report makes 20 recommendations including:

  • The leadership of every organisation should demonstrate clear ownership and responsibility for data security.
  • All health and social care organisations should provide evidence that they are taking action to improve cyber security, for example through the ‘Cyber Essentials’ scheme.
  • NHS England should change its standard financial contracts to require organisations to take account of the data security standards. Local government should also include this requirement in contracts with the independent and voluntary sectors. Where a provider does not meet the standards over a reasonable period of time, a contract should not be extended
  • CQC should amend its inspection framework and inspection approach for providers of registered health and care services to include assurance that appropriate internal and external validation against the new data security standards have been carried out
  • There should be a new consent/ opt-out model to allow people to opt out of their personal confidential data being used for purposes beyond their direct care.

The full report can be found here


This report acknowledges that almost all health and social care organisations can and should do more when it comes to data security, that someone in each organisation should be tasked with responsibility  for this and that regular training is essential.


Focusing on technology alone to address these issues is not enough. Effectively managing risk also means putting in place the right governance and the right supporting processes as well as effective training. We provide a comprehensive service to help you with all your data security requirements. Contact us to find out more.


This article is intended for informational purposes only, so please don’t rely on it as legal advice!


We believe that data protection is about protecting people and that the four elements of data protection are trust, transparency, privacy and security. If you agree and like this page please feel free to share it.


Leave a Reply

Your email address will not be published. Required fields are marked *