CQC to Fortify NHS Information Governance Inspections

    Jun 13, 2017

    Britain’s Care Quality Commission (CQC) plans to beef up its own IG assessments of NHS hospitals, beginning this summer, as reported by

    While the new inspection regime is not directly related to the May WannaCry intrusion, which affected some NHS trusts, inspectors are likely to scrutinize many aspects of NHS IT.

    Even before the WannaCry exploit, the CQC had been consulting on proposals for its future regulation of NHS hospitals, with the proposals planning to introduce a new “key line of enquiry” for inspectors to use to look more closely at “whether robust and appropriate information is being effectively processed and challenged.”

    Earlier, the CQC had released “Safe Data Safe Care,” a report that concerns amendments to its inspection process to ensure “appropriate internal and external validation against the new data security standards have been carried out.”

    The report chronicles the review of 60 hospitals and other medical practices to see whether personal health and care data is being used safely and is being protected appropriately.

    The CQC review focuses on patient data in the NHS and does not include providers of adult social care; nor does it examine IT systems.

    The CQC review finds that while there is “evident widespread commitment to data security,” staff at all levels face significant challenges in translating their commitment into reliable practice.

    Included among the several issues the report finds are these:

    • Lessons from data incidents are seldom learned or shared.
    • The quality of training on data security varies greatly at all levels.
    • Day-to-day practices often do not reflect the established policies and procedures.
    • Data security tools and protocols are not user-friendly, which tempts the staff to find risky workarounds.

    A CQC spokesperson said she expects providers to have robust arrangements for identifying and managing risk to their services: “We do look at this on inspection and as part our ongoing monitoring of services. Where an inspection finds concerns in those areas we would report our findings and require the provider to take appropriate action. Any extension to this remit would be a decision made by the Department of Health.”

    The online Global Policy Brief is intended to help you stay current on international news and events. Further information about the issue is accessed by clicking on the link provided at the end of each summary.

    Want to sign up to receive an email version of the Global Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.

    © 2017, ARMA International