Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what guidance his Department has issued to NHS trusts on accessing patient medical records outside of direct clinical care; and what safeguards are in place to prevent unauthorised access.

NHS England’s website provides a range of information governance guidance to the National Health Service on the secure and appropriate use of medical records, including guidance on the use of records outside of direct care. This can be found at the following link:

https://digital.nhs.uk/data-and-information/information-governance

There are various safeguards used in the NHS to prevent unauthorised access to patient records. These include:

• role based access control, meaning users are restricted in what they can access, so that it is appropriate to their role;

• multi-factor authentication, meaning users are required to prove their identify with at least two details;

• shielding records, meaning as records can be hidden from normal view, and only accessed by contacting an authoriser, or via an alert triggered by attempted access;

• organisational policies determined at local level; and

• auditing, with systems recording who has accessed a record and when, in case this needs to be reviewed/investigated.

Staff accessing systems are bound by employment contract and professional codes of conduct to ensure their access to data is necessary and appropriate. All organisations handling patient data should have training in place to ensure staff are aware of their responsibilities.