Comment

21.03.18

Safe by design

Nigel Houlden, head of technology policy at the Information Commissioner’s Office (ICO), explains what NHS organisations need to do to prepare for incoming data regulation changes and ensure they are safe by design.

There are people out there who do not trust you with their data.

Only 61% say they have trust and confidence in the NHS or local GP to store and use their personal information. That’s just one of the findings from our 2017 annual ICO survey.

As the UK’s data protection regulator, it’s our job to protect the information rights of citizens and to ensure that privacy works hand-in-hand with innovation in today’s digital economy.

So I want to talk about some steps you can take to increase people’s trust in your organisation.

Elizabeth Denham, the UK information commissioner, talked about cyber security in her speech at a CBI conference last September, saying: “Cyber security and data protection are inextricably linked. Privacy depends on security.

“No obligation to provide privacy will be meaningful if the data to be protected are accessed or stolen by unauthorised third parties.

“All modern data protection principles include an obligation to protect information, and security has been recognised in every significant codification of data protection, including the current Data Protection Act and the new EU General Data Protection Regulation (GDPR) that comes into effect on 25 May.”

It’s important to understand your cyber security obligations. Ensuring good security could have prevented WannaCry, the ransomware that hit the NHS (and others) last year. WannaCry, if you needed reminding, encrypts files on computers and demands payment for the decryption key. It targeted Microsoft Windows systems, particularly those lacking a security update; had the systems been patched and up-to-date, the whole attack last May could have been averted. These criminals don’t care about who they hurt, they aren’t interested that a healthcare professional can’t get information about a patient – they just want money.

If health systems are designed with privacy by design in mind, attacks like WannaCry will hopefully not impact on such a vital service.

The regulations

The government has pledged to make the UK the safest place to be online, deciding that the new data protection laws represent an opportunity for organisations to improve their cyber security resilience.

The GDPR comes into force in all EU Member States in May – and the UK Government has taken a step further with the new Data Protection Act. This will replace the 1998 legislation, complementing the GDPR and bringing all processing of personal data into one coherent regime, with the rights of the individual at its centre.

There is a lot to say about the data protection reforms – a good place to start is our website – but the changes can be summarised in three main areas:

  • The new law requires you to be transparent and tell people what you will do with their data;
  • You then have to control the data as you promised you would;
  • You must be prepared to account to your customers and the regulator for what you have done.

Organisations will have to show reporting structures and responsibilities, risk assessments and mitigation measures. These records need to be up-to-date, accurate and comprehensive – and we need to see them if an incident occurs.

In addition, breach reporting rules are changing. You will not have to report every single personal data breach to the ICO – but you will if it’s likely to result in a risk to people’s rights and freedoms.

We are writing guidance about this, but you should already be developing a sense of what constitutes a serious incident in the context of your data and your own customers.

This all sounds challenging – but it needn’t be onerous if you adopt privacy by design and sound cyber security at the outset of a project, and don’t treat them as an afterthought.

Privacy by design

We have long championed this approach, but it’s never been a legal requirement – until now. “Data protection by design” will be an obligation under the GDPR, as will the use of data protection impact assessments.

We already have plenty of guidance on our website (and we are developing more), but in this context privacy by design means building data privacy and security into every part of your information processing, from the hardware and software to the procedures, guidelines, standards, and polices that your organisation has or should have.

Systems should be protected at every step: look at your data flows, understand how your data moves across and beyond your organisation, both in electronic and ‘real-world’ formats.

You should evaluate the impact of a data breach or data loss on your finances and your reputation. Data should be secured in rest as well as when in transit – even if lost or hacked, it should not be readable.

A well-designed system and approach will protect your network infrastructure: it should incorporate firewalls, access control lists and VLANs, as well as non-technological measures such as CCTV, fences and security personnel if needed.

Access to data should be under the system of least privilege: not knowing who has access to what or who is responsible for it can be a massive hole in your security.

And remember – security isn’t just an IT issue. For good security to work you need senior management buy-in and support, and you must enforce your policies and procedures.

Just because someone somewhere once wrote a security policy doesn’t mean you’re protected. Staff must read and understand the requirements of that policy and the consequences of failing to follow it – which you should be prepared to enforce.

The information commissioner talked about low-tech breaches in her cyber security speech: “They are frustratingly common in our enforcement work, with many due to human error. So training and awareness are critical for your staff, as well as protecting your data with regular monitoring and testing and robust incident management.

“The new laws are an opportunity to focus on data protection and security. Ensure your board of directors understand their new obligations, and the need to invest in safeguards to build and retain consumer trust.

“Innovation in the digital economy relies on this trust to generate the social license that you need to break new frontiers with data. Growth built on a healthy foundation of trust is sustainable. Growth built on mistrust is vulnerable to the reputational damage of a data breach.”

The future

Our Information Rights Strategic Plan that sets out the ICO’s commitments until 2021 makes clear that staying relevant in the context of ever-changing technology must become a core component of our strategic goals if we are to continue to deliver the regulatory outcomes the public expect. 

Technological advance and privacy rights can work together to create true trust and data confidence.

It is for these reasons that the ICO has published its first-ever Technology Strategy.

FOR MORE INFORMATION

W: www.ico.org.uk

Comments

There are no comments. Why not be the first?

Add your comment

 

national health executive tv

more videos >

latest healthcare news

‘Damaging’ NHS targets ‘have had their day’ claims Lord Prior

15/02/2019‘Damaging’ NHS targets ‘have had their day’ claims Lord Prior

NHS targets “have had their day” according to Lord Prior as the head of the health service launches an attack on 25 years of flawed h... more >
Controversial shake-up of Kent stroke services given rubber stamp amid calls for judicial review

15/02/2019Controversial shake-up of Kent stroke services given rubber stamp amid calls for judicial review

A major reorganisation of stroke services across Kent and Medway have been approved following a unanimous decision by the Joint Committee of CCGs... more >
A&E waiting time performance hits all time low as NHS ‘buckles under the strain’

15/02/2019A&E waiting time performance hits all time low as NHS ‘buckles under the strain’

A&E waiting time performances in NHS trusts in England have hit their lowest level since regards began, according to the latest NHS statistic... more >
681 149x260 NHE Subscribe button

the scalpel's daily blog

Blog: 5 minutes with Dr Tracy Vell MBE, Associate Lead for Primary and Community Care, Greater Manchester, Health and Social Care Partnership.

14/02/2019Blog: 5 minutes with Dr Tracy Vell MBE, Associate Lead for Primary and Community Care, Greater Manchester, Health and Social Care Partnership.

Ahead EvoNorth we caught up with Dr Tracy Vell MBE, Associate Lead for Primary and Community Care, Greater Manchester, Health and Social Care Partnership. Dr Tracy Vell MBE shares her thoughts on the Northern Powerhouse, what it means to her and why she thinks it’s important to attend EvoNorth.  What does your role as Associate Lead for Primary and Community Care, Greater Manchester, Health and Social Care Partnersh... more >
read more blog posts from 'the scalpel' >

interviews

How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

24/10/2018How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

A dedicated national social care service could be a potential solution to surging demand burdening acute health providers over the winter months,... more >
RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

24/10/2018RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

The president of the Royal College of Physicians (RCP) has told NHE that the college’s new headquarters based in Liverpool will become a hu... more >
Duncan Selbie: A step on the journey to population health

24/01/2018Duncan Selbie: A step on the journey to population health

The NHS plays a part in the country’s wellness – but it’s far from being all that matters. Duncan Selbie, chief executive of Pu... more >
Cutting through the fake news

22/11/2017Cutting through the fake news

In an era of so-called ‘fake news’ growing alongside a renewed focus on reducing stigma around mental health, Paul Farmer, chief exec... more >

last word

Hard to be optimistic

Hard to be optimistic

Rachel Power, chief executive of the Patients Association, warns that we must be realistic about the very real effects of continued underfunding across the health service. It’s now bey... more > more last word articles >

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital e... read more >

health service focus

Innovative mobile solution meeting NHS demand

07/01/2019Innovative mobile solution meeting NHS demand

EMS Healthcare report on the first fleet of m... more >
National Health Executive fuels the Northern Powerhouse with official partnership

21/11/2018National Health Executive fuels the Northern Powerhouse with official partnership

Cognitive Publishing, the home of leading hea... more >