Every GP practice in England is contractually required to have a named partner, board member or senior employee responsible for data and cyber security under new data security requirements published by the DH and NHS England.
Practices have until the end of the 2017/18 financial year to meet 10 data security standards recommended by national data guardian Dame Fiona Caldicott in July last year. Guidance published this week set out steps practices should take to meet the standards.
The guidance says that practices must comply as ‘part of the data security and protection requirements’ set out in their contracts. However, it adds that some of the requirements will be implemented by their commissioning organisation.
The CQC will assess whether practices are following the standards when it considers data security during its inspections.
From 2018/19 the Information Governance Toolkit, which lists governance standards that practices currently are required to meet, will be replaced by a ‘new approach to measure progress against the 10 data security standards’. GP information governance services will be commissioned and made available to support practices in this, the new advice says.
Data protection
Practices will also have to complete a checklist, due to be published by NHS Digital, to ensure that they are correctly implementing the new EU-wide General Data Protection Regulation, which comes into effect in May 2018 and replaces the Data Protection Act. As part of this, practices will need to appoint a data protection officer.