Healthcare information security

NDG Pt. 3: The Impact of new data security standards and opt-out model on the IG Toolkit

Kieran Sullivan
November 8, 2017 by
Kieran Sullivan

Previous articles in this series:

Pt. 1: Data security standards and opt-out models in health and social care

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Pt. 2: Government Views On Opting Out – Health Data and Security in The UK


The Information Governance Toolkit may have focused on technical standards in the past, but recent external movements could mean a more public-facing role to help build trust in NHS management of service user data.

To improve the use of technology, data, and information within the health and social care sector, the UK’s Department of Health established a public body called NHS Digital. Previously referred to as the Health and Social Care Information Centre (HSCIC), its role is twofold: (1) Draw together legal rules and guidance set out in Department of Health policies; and, (2) Present them as a set of information governance requirements.

The Information Governance (IG) Toolkit incorporates both these tasks, and its remit covers information security, confidentiality and data protection, and management structures and responsibilities.

At present time (November, 2017) the Toolkit is being updated in light of recommendations from the Review of Data Security, Consent and Opt-outs carried out by the National Data Guardian (NDG). This Review has been discussed previously, including its focus on building public trust. The UK Government response to this Review is also informing the update and its public consultation has been covered on this website.

The release notes for version 14.1 of the Toolkit state that, “redesigned IG Toolkit is in phased development and will include a new set of mandatory requirements to support the evolving system and threats. It will be more accessible and easier to use, while also providing a greater emphasis on data security leadership obligations – people, processes and technology. A beta version of the redesigned toolkit is due for launch in the autumn ahead of a formal roll out across all sectors in April 2018.”

A previous Review in 2013 (Caldicott-2) resulted in a number of changes to the Toolkit, and in this article, we look at the likely impact arising from the 2016 Review (Caldicott-3) and the Government’s subsequent public consultation.

Likely Impacts

While the Toolkit will undoubtedly be impacted at technical levels, its overall role and function may also be affected. Gaining public trust is a significant issue and was a major theme in Caldicott-3 and the Government response. Hence, the first impact likely on the Toolkit will be its enhanced role to help the NHS increase public trust in its management of service users’ data.

  1. Supporting public trust

In its response paper, the Government says service users should have easier access to data about themselves held by service providers within the NHS. Currently, service users must engage in a lengthy application process to access this data. The Toolkit cannot directly help with this better data access but it could allow service users more easily find the organization(s) who have access to their data, and indicate whether they are currently compliant with data security standards. In this regard, the response paper says the Toolkit can facilitate organizations in demonstrating their commitment to cyber-security measures. The Government has also stated that a central register of what organizations accessed a service user’s care record will be available online. The Toolkit could naturally be linked to this register.

Another aspect of the Toolkit that may be impacted with respect to supporting public trust is its Change Requests process. This could be required to also become more user-friendly and perhaps even widen its function to incorporate more feedback from service users; it has historically been an organization-facing entity. To focus on the public more, a website that renders neatly on smart phones and tablets could be expected. Additionally, a dedicated app and perhaps free-phone numbers for older and other vulnerable service users to make contact might also be anticipated.

  1. Social care
  2. The 2016 Review (Caldicott-3) broadened its remit and considered data security in social care as well as health care. The 2013 Review had focused on health care only and up to now, the Toolkit mostly dealt with organizations in the health care sector.

    The impact on the Toolkit in this instance, therefore, may be the incorporation of social care organizations into its domain. While many health care organizations listed under the Toolkit’s Organization Types may already deliver social care, its emphasis in Caldicott-3 means additional effort will be required to address the potentially different requirements for data security and information sharing in a social care setting.

    1. Cyber Security Programme
    2. From a technology point-of-view, the Toolkit’s Cyber Security Programme (CSP) will have to become more even more agile and faster in its response to the ever-changing threats from malware and other attackers. Organization staff who use mobile devices for work present a new vulnerability which will require additional attention from the CSP and its CareCERT team. If staff connect to NHS databases via their mobile device, then they are potentially providing a gateway for attackers to NHS and service user data. Mobile security is a concern for the wider online community, and the Toolkit must ensure it is (1) fully up-to-date with the latest technical security measures, and (2) auditing its technology more regularly. Practical advice such as minimum requirements for operating systems and browsers may also now fall into its remit.

      1. Opt-out model
      2. The Caldicott-3 Review considered two aspects of information sharing within NHS organizations: data security standards and a new opt-out model for service users who do not wish to share all or part of their data. If the Toolkit is to take on more of a public-facing role, it must also incorporate this new opt-out model. Summary information on the model must be provided in a clear, straightforward format, as well as updates to the Requirements section. Any subsequent assessments using the Toolkit will also have to consider how organizations are implementing and explaining the opt-out model to service users.


        Implementing change is difficult in any sphere, even more so when dealing with large public entities such as the NHS. Add to this the element of sensitive data from often vulnerable people and we get a sense of the sizeable task facing the IG Toolkit. The Government response paper recommends a redesign of the current Toolkit, but acknowledges that a cost-benefit analysis is needed with respect to cybersecurity measures. Smaller service providers, for example, cannot be expected to dedicate the same resources to data management as those with larger budgets and more staff.

        What then will ultimately be the impact for the Toolkit? In this article, we outlined some likely changes in light of two recent public documents. In future, there will be other external drivers that impact the Toolkit. It is likely that such influences will become more regular and the Toolkit will have to become more agile and adept at responding to them; all the more so as technology changes faster and the public better understands the use of data sharing in the health and social care sector.

        The Toolkit must become more user-friendly, both for organizations and the wider public. This can be reflected in its Publications and Reports sections, as well as its approach to Change Requests, as previously outlined. The opportunity now exists for the Toolkit to support the NHS in becoming exemplars of trustworthy data controllers. The Toolkit may even become a certifier of best practice in organizations, not only for the public, but also for external funders and other potential investors in those organizations.




        /government-views-opting-health-data-security-uk/ 2017.pdf

        Implementing HIPAA Controls

        Implementing HIPAA Controls

        Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

        Kieran Sullivan
        Kieran Sullivan

        Kieran Sullivan is a Senior Research Engineer specializing in Information Security and Wireless Networks. A former journalist in the print media, Kieran completed a Masters in Computer Science in 2006 and has since been working in the ICT research domain. He contributes to various technical publications and is a firm believer that user education is key for ensuring online security.