Asked by: Baroness Manzoor (Conservative - Life peer)
Question to the Department of Health and Social Care:
To ask His Majesty's Government how many incidents of patient records or personal data being accessed without due cause have been recorded in the most recent year for which figures are available.
Answered by Lord Markham - Parliamentary Under-Secretary (Department of Health and Social Care)
Health and care organisations are required to submit data breach reports within 72 hours of an incident. Data breach incidents are reported to the Information Commissioners Office (ICO), who then investigate and decide what action to take. Notifiable breaches are those that are likely to result in a high risk to the rights and freedoms of the individual, referred to as the data subject. NHS England publishes the number of incidents reported through the Data Security and Protection Toolkit on its website. In 2023, 996 incidents were reported to the ICO, but not all of these would have involved patient details being accessed without due cause. The ICO publishes details on its website of incidents where it takes enforcement action.
Asked by: Baroness Manzoor (Conservative - Life peer)
Question to the Department of Health and Social Care:
To ask His Majesty's Government what steps they have taken to ensure that patient records and personal data are only accessible to those who need to view them, and to ensure connections between software systems in health facilities include suitable control measures for this risk.
Answered by Lord Markham - Parliamentary Under-Secretary (Department of Health and Social Care)
National IT systems must ensure that users can be identified correctly, and are given appropriate access. This is achieved using identity verification capabilities, including creating a national digital identity for each authorised user.
Each local National Health Service organisation which requires access to the national IT systems is required to set up its own local Registration Authority (RA) which consists of people and processes who are trained to create identities and grant access for their staff to the national IT systems. NHS England has published the RA Policy requirements with which every local NHS organisation that has an RA must comply. This reflects current best practice for identity and access management as informed by the National Cyber Security Centre (NCSC) guidance.
The RA Policy also allows non-NHS health and care organisations providing direct care to run their own RA service. RA hosting is subject to meeting requirements and assessment criteria, which are soon to be published.
The RA process includes the use of RA codes, assigned to professional users’ smartcards to give them access to the correct information within national IT systems.
The RA codes which are assigned for a specific user will allow that user to create and process referrals appropriately depending on their job role.
Local organisations which have an RA function are required to have an RA audit policy and conduct annual audits on NHS Smartcard usage as part of their RA governance. RA Managers (those responsible for administering the RA function within an organisation) must implement a process to run the RA reports on a regular basis.