Healthcare information security

NDG Pt. 1: Data security standards and opt-out models in health and social care

Kieran Sullivan
October 30, 2017 by
Kieran Sullivan

Other articles in this series:

Pt. 2: Government Views On Opting Out – Health Data and Security in The UK

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Pt. 3: The Impact of new data security standards and opt-out model on the IG Toolkit


While the technical aspects of sharing patient data in health and social care continue to evolve, the Review of Data Security from the National Data Guardian focuses on the more permanent issue of building trust.

The use of data gathering, storing, sharing, and analysis in health care can allow for all manner of efficiencies and better services for patients. This is true of any sphere where the concept of big data is applied. The health and social care sector is different, however, in that the data is likely to be more sensitive, and the data generators (i.e. patients) sometimes provide their information from a vulnerable position, suffering from reduced cognition, stressed, under medication, etc.

In 1997, Dame Fiona Caldicott examined concerns regarding patient information in the UK’s National Health Service (NHS). Specifically, she looked at how the increasing use of information technology (IT) within the NHS could erode confidentiality due to its ability to quickly propagate information on patients around the care ecosystem.

The Caldicott Report produced six principles, with a seventh added in a follow-up report in 2013. Following controversy regarding data extraction from GP surgeries in 2016, a further follow-up report was produced.

Understandably, the 2016 report focuses on trust. Setting the tone in her foreword to the Report, Dame Caldicott says, “Everyone who uses health and care services should be able to trust that their personal confidential data is protected.” The remit of the report was to recommend new data security standards, a method to check compliance with these standards, and a new consent/opt-out model for data sharing.


A relatively large number of frameworks and standards already exist, and the report states that there is potential for confusion among data controllers. Additionally, the self-assessment aspect of compliance mechanisms caused concern with audits generally being welcome since they provided “teeth in enforcement”.

The report analyzed the following existing standards:

  • Information Governance Toolkit (IG Toolkit)
  • CESG Cyber Essentials
  • Cyber Essentials ‘PLUS’
  • Public Services Network – Code of Connection (PSN CoCo)
  • ISO/IEC 27000:2013 (Information Security Management)
  • Information Security Forum’s Standards of Good Practice (ISF SoGP)

With respect to operation in health and social care, organizations were often found to be overwhelmed by highly detailed standards such as ISO/IEC 27001 and ISF SoGP. When the costs of licensed documentation and related support were factored in, the report concluded that such standards were not suitable for sector-wide implementation.

Instead, the focus should be on strong leadership in data security, and the report lists 10 standards organized under three leadership obligations:

  1. People: Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
  2. Process: Ensure the organization proactively prevents data security breaches and responds appropriately to incidents or near misses.
  3. Technology: Ensure technology is secure and up-to-date.

The full list of 10 can be seen on page 22 of the report.

Implementing standards and checking compliance

In the first instance, the requirement to comply with data security standards should be written into the financial contracts for organizations. Only those found to be compliant would have their contracts extended, thereby providing a mechanism to remove non-compliers. Objective assurance of this compliance would be best carried out by third-parties, with organizations including this as part of their regular internal audit process.

Support for implementing new standards could come from a refreshed IG toolkit and additional expertise from NHS Digital (formerly the Health and Social Care Information Centre – HSCIC). Peer support from exemplary organizations would also be beneficial, as would regulatory input from initiatives such as NHS Improvement and the Association of Directors of Adult Social Services in England (ADASS).

Regarding culture change, the need to foster a culture of ‘learning not blaming’ is self-evident. If staff at all levels are encouraged to highlight potentially insecure actions, then organizations can better target security efforts at people, processes, and technologies most likely to result in problems.

The report also proposes tougher sanctions for non-compliance arising from malicious or intentional data breaches. While specific penalties are not suggested, the report does call for redress breaches in the 2013 Review to be implemented and for “severe consequences when an organization consistently fails to remedy a situation”.

Consent/opt-out model

Trust, clarity, and purpose should underpin any opt-out model, and in this regard public views have not changed much since the 2013 Review. The public at large might not know too much about data use in health and social care, but people still want to be able to trust the system and its handling of their data. One trend emerging is that people are much more comfortable with sharing their data when it is anonymized.

On clarity, both patients and professionals agreed that unambiguous communication should accompany all information in the system with respect to sharing rights. The rights of individuals and the responsibilities of organizations need to be clarified. This uncertainty also influenced people’s opinions when it came to the purpose of their data being shared: the clearer the purpose, the more comfortable people felt. Hence, any opt-out model must be built on explaining the purpose of information sharing in plain English to people, thereby helping them to make informed choices. The report suggests a number of related recommendations, distilled into the following eight statements:

  1. You are protected by the law.
  2. Information is essential for high quality care.
  3. Information is essential for other beneficial purposes.
  4. You have the right to opt out.
  5. This opt-out will be respected by all organizations that use health and social care information.
  6. Explicit consent will continue to be possible.
  7. The opt-out will not apply to anonymized information.
  8. Arrangements will continue to cover exceptional circumstances.

Based on the above statements, four different approaches are presented to check if people wish to opt out from having their information used for purposes beyond their direct care, such as checking the quality of care and researching better cures. These approaches are on pages 40 and 41 of the report.

Next steps

Gaining people’s trust is at the core of the report from the National Data Guardian, so it is not surprising that public consultation forms a major part of its conclusion and next steps. Indeed, the report recommends that the UK’s Department of Health conduct a “full and comprehensive public consultation on the proposed data security standards and consent/opt-out model.” It also recommends the further involvement of professional bodies and patient representative groups in testing and refining the report’s findings.

Overall implementation is beyond the scope of the report but it does suggest addressing implementation in three separate strands:

  1. The public

Public understanding on the usefulness of information sharing is limited. For example, knowledge gaps exist about sharing information across organizations to integrate health and social care. The National Information Board (NIB) has a role to play in communicating to and earning the trust of the public. While reassuring people that their data is being shared and used securely, the NIB could explain how the modern health and social care system works; including the role of information sharing in general, and its value in supporting researchers to improve treatment and care.

  1. Professionals
  2. As mentioned previously, a ‘learning not blaming’ culture among professionals is essential to embed data security standards. Training, incentives, and formal accreditation could all be considered. Peer support and using professionals to help inform the public would also be beneficial. For this and all implementation work, a clear and consistent message needs to be in place.

    1. Technical
    2. Of the technical aspects for implementation, it is compliance monitoring and updating the IG Toolkit that require significant attention. NHS Digital has a major role to play in fully scoping out the technical requirements, and it is acknowledged that some organizations are not currently equipped to implement consent/opt-out preferences.


      While people’s understanding of the benefits of data sharing within its different organizations is limited, they still hold a large degree of trust in the NHS to securely manage their information. With new agencies providing services within the NHS, however, work is continually needed to raise public understanding and help people make informed choices. Health and social care professionals have a big role to play, but public consultation and the wider government response are essential in this regard.

      For more on the government response to this report, please see our follow-up article.


      Implementing HIPAA Controls

      Implementing HIPAA Controls

      Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

      Kieran Sullivan
      Kieran Sullivan

      Kieran Sullivan is a Senior Research Engineer specializing in Information Security and Wireless Networks. A former journalist in the print media, Kieran completed a Masters in Computer Science in 2006 and has since been working in the ICT research domain. He contributes to various technical publications and is a firm believer that user education is key for ensuring online security.