Public Services > Healthcare

CQC to beef up NHS information governance inspections

David Bicknell Published 15 May 2017

Regime follows publication of CQC’s ‘Safe Data, Safe Care’ report, rather than as a result of last week’s cyber attack that caught up the NHS, though its impact is likely to spur CQC interest


With the effectiveness of information governance (IG) in the NHS under question, it has emerged that the Care Quality Commission (CQC) will be strengthening its own IG assessments of NHS hospitals from as early as this summer.

The new CQC inspection regime is not specifically in relation to Friday’s cyber exploit which caught up some NHS trusts – the planned ‘beefing up’ was already underway – but the problems affecting NHS IT are likely to drive close questioning by CQC inspectors.

The change in IG regime follows the CQC recently consulting on proposals for its future regulation of NHS hospitals, with the proposals planning to introduce a new “key line of enquiry” for inspectors to use to look more closely at “whether robust and appropriate information is being effectively processed and challenged.”

It follows a commitment the CQC made as a result of its recent ‘Safe Data Safe Care’ report to amend its inspection approach to ensure “appropriate internal and external validation against the new data security standards have been carried out.” The response to the consultation and updated inspection frameworks are expected to be published next month.

The review, of 60 hospitals, GP surgeries and dental practices, looked at whether personal health and care information is being used safely and is appropriately protected in the NHS. It in turn followed a request from Health Secretary Jeremy Hunt to the CQC in September 2015  to undertake a review of data security in  the  NHS,  and  in  parallel  for  Dame  Fiona  Caldicott,  the  National  Data  Guardian, to  develop  new  data  security  standards  and  a  method  for  testing  compliance  against  the standards.

The CQC review focused on patient data in the NHS. It did not include providers of adult social care and also excluded a detailed examination of IT systems, which was the subject of separate work carried out by the Health and Social Care Information Centre (HSCIC), now NHS Digital.

The CQC review found that while there was “evident widespread commitment to data security”, staff at all levels faced significant challenges in translating their commitment into reliable practice.

It also found that:

  • Where patient data incidents occurred they were taken seriously. However, staff did not feel that lessons were always learned or shared across their organisations.
  • The quality of staff training on data security was very varied at all levels, right up to Senior Information Risk Owners (SIROs) and Caldicott Guardians.
  • Data security policies and procedures were in place at many sites, but day-to-day practice did not necessarily reflect them.
  • Benchmarking with other organisations was all but absent. There was no consistent culture of learning from others, and we found little evidence of external checking or validation of data security arrangements.
  • The use of technology for recording and storing patient information away from paper-based records is growing. This is solving many data security issues but, if left unimproved, increases the risk of more serious, large-scale data losses.
  • Data security systems and protocols were not always designed around the needs of frontline staff. This leads to staff developing potentially insecure workarounds in order to deliver good timely care to patients – this issue was especially evident in emergency medicine settings.

The CQC said, “Successful data security demands engaged leadership and a culture of learning and sharing. Senior leadership teams must take data security seriously and ensure clear responsibilities for all members of staff.”

It recommended that:

  • The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability.
  • All staff should be provided with the right information, tools, training and support to allow them to do their jobs effectively while still being able to meet their responsibilities for handling and sharing data safely.
  • IT systems and all data security protocols should be designed around the needs of patient care and frontline staff to remove the need for workarounds, which in turn introduce risks into the system.

The CQC also recommended that in terms of outdated technology, computer hardware and software that can no longer be supported should be replaced as a matter of urgency. It also argued that arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring financial integrity and accountability.

The CQC said that in terms of its assessment, “We'll amend our assessment framework and inspection approach to include assurance that appropriate validation against the new data security standards have been carried out, and make sure inspectors are appropriately trained.”

A CQC spokesperson pointed out that the organisation’s role is to assess and report on the quality of providers’ services, and take action where required.

She said, “As part of this we expect providers to have robust arrangements for identifying and managing risks to their services, including risks around information governance, data security and IT systems. We do look at this on inspection and as part our ongoing monitoring of services. Where an inspection finds concerns in those areas we would report our findings and require the provider to take appropriate action. Any extension to this remit would be a decision made by the Department of Health.”

Related link:

Ministerial statement in response to CQC report and review by Dame Fiona Caldicott of data security and consent



We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.