Question to the Department of Health and Social Care:

To ask His Majesty's Government what assessment they have made of the extent of racism and discrimination within the NHS; what steps NHS England are taking to collate data on this issue; and how they disseminate best practice to improve working culture within the NHS.

Answered by Lord Markham - Parliamentary Under-Secretary (Department of Health and Social Care)

The National Health Service is one of the most diverse organisations in this country. As of September 2023, 27.3% of hospital and community health service staff reported an ethnic minority background. However, data shows that disabled staff, staff from ethnic minority background, and staff with other protected characteristics face a worse experience of working in the NHS when it comes to abuse, bullying and harassment, and career progression.

Since 2016, NHS England has published an annual Workforce Race Equality Standard (WRES) report. Implementation of the WRES is a requirement for NHS commissioners and NHS healthcare providers, including independent organisations through the NHS standard contract. The WRES enables NHS organisations to better understand how they are performing against nine indicators covering issues such as board representation, career progression, and bullying and harassment. They are required to develop action plans to progress and improve against the indicators.

In June 2023, NHS England published the Equality, Diversity and Inclusion Improvement Plan that sets out targeted actions to address prejudice and discrimination in the NHS workforce. NHS England has also provided guidance to assist trusts and integrated care boards in adopting an improvement approach to the implementation of this plan. It is supported by a repository of good practice and a dashboard, to enable organisations to measure progress.

Question to the Department of Health and Social Care:

To ask His Majesty's Government what steps they have taken to ensure that patient records and personal data are only accessible to those who need to view them, and to ensure connections between software systems in health facilities include suitable control measures for this risk.

Answered by Lord Markham - Parliamentary Under-Secretary (Department of Health and Social Care)

National IT systems must ensure that users can be identified correctly, and are given appropriate access. This is achieved using identity verification capabilities, including creating a national digital identity for each authorised user.

Each local National Health Service organisation which requires access to the national IT systems is required to set up its own local Registration Authority (RA) which consists of people and processes who are trained to create identities and grant access for their staff to the national IT systems. NHS England has published the RA Policy requirements with which every local NHS organisation that has an RA must comply. This reflects current best practice for identity and access management as informed by the National Cyber Security Centre (NCSC) guidance.

The RA Policy also allows non-NHS health and care organisations providing direct care to run their own RA service. RA hosting is subject to meeting requirements and assessment criteria, which are soon to be published.

The RA process includes the use of RA codes, assigned to professional users’ smartcards to give them access to the correct information within national IT systems.

The RA codes which are assigned for a specific user will allow that user to create and process referrals appropriately depending on their job role.

Local organisations which have an RA function are required to have an RA audit policy and conduct annual audits on NHS Smartcard usage as part of their RA governance. RA Managers (those responsible for administering the RA function within an organisation) must implement a process to run the RA reports on a regular basis.

Question to the Department of Health and Social Care:

To ask His Majesty's Government how many incidents of patient records or personal data being accessed without due cause have been recorded in the most recent year for which figures are available.

Answered by Lord Markham - Parliamentary Under-Secretary (Department of Health and Social Care)

Health and care organisations are required to submit data breach reports within 72 hours of an incident. Data breach incidents are reported to the Information Commissioners Office (ICO), who then investigate and decide what action to take. Notifiable breaches are those that are likely to result in a high risk to the rights and freedoms of the individual, referred to as the data subject. NHS England publishes the number of incidents reported through the Data Security and Protection Toolkit on its website. In 2023, 996 incidents were reported to the ICO, but not all of these would have involved patient details being accessed without due cause. The ICO publishes details on its website of incidents where it takes enforcement action.