Claire Powell, Corporate and Commercial Solicitor at Thompson Smith and Puxon, discusses the Data Guidance published this week by the Department of Health and NHS England. The Guidance sets out the steps all Health and Care organisations will be expected to take to demonstrate that they are implementing the ten Data Security Standards recommended by Dame Fiona Caldicott, the National Data Guardian.

In addition to the new Data Security Standards, General Practitioners should also be gearing up to comply with the EU General Data Protection Regulation which comes into force from May 2018 and which will further increase the legislative data security and protection requirements on Health and Care organisations.

The framework for assuring the implementation of the Data Security Regulations and the GDPR will include Practices completing a new Data Security and Protection Toolkit from April 2018. However all organisations will have access to the toolkit from January 2018 to enable them to familiarise themselves with the approach to measuring implementation and compliance. NHS Digital is also expected to publish a checklist to support public authority organisations to implement the requirements of the GDPR.

It is recommended that all Health and Care organisations take the time now to consider their understanding of data and cyber security and to consider how both the Data Security Standards and the GDPR will apply to their organisation.

Set out below are the steps which will apply to General Practitioners:

  1. Senior Level Responsibility: Each Practice must have a named partner, board member or equivalent senior employee to be responsible for data and cyber security in the Practice.
  2. Completing the Information Governance Toolkit: Each practice is required to complete the current GP IG Toolkit with a recommendation that practices attain level two as a minimum.
  3. Complete the General Data Protection Regulation Checklist: NHS Digital will publish a checklist to support public authority organisations (including General Practices) in implementing the requirements of the General Data Protection Regulation which they will be required to comply with from May 2018. Each General Practice will be accountable and responsible for completing this, including the appointment of a Data Protection Officer (DPO).
  4. Training Staff: Each General Practice is accountable for ensuring all staff complete appropriate annual data security and protection training.
  5. Acting on CareCERT Advisories: Organisations must act on CareCERT advisories and confirm that plans are in place to act on High Severity CareCERT advisories within 48 hours. They will also be required to identify a primary point of contact for the organisation.
  6. Continuity Planning: Each General Practice is required to continue to maintain a business continuity plan which will include the response to data and cyber security incidents.
  7. Reporting Incidents. Data security incidents and near misses must be reported to CareCert in line with reporting guidelines. Practices will be supported by the commissioned GP IT and GP IG services in the reporting and managing of the incident.
  8. Unsupported Systems: CCGs must Identify unsupported systems in General Practices have a plan in place by April 2018 to remove, replace or actively mitigate and actively manage the risks associated with unsupported systems.
  9. On-Site Assessments: CCGs are responsible for commissioning on-site cyber and data security assessments and the General Practice will be required to act on any recommendation.
  10. Checking Supplier Certification: General Practices that commission the practice of IT systems will ensure that any supplier of IT services, infrastructure or systems used in general practice have the appropriate certification.

The Corporate and Commercial team at Thompson Smith and Puxon was recently awarded a Top Tier recommendation in Essex for their work in this area by the Legal 500 2017; one of only two firms in Essex and the only firm in Colchester to be given this accolade.

The Legal 500 2017 said “Thompson Smith and Puxon’s corporate and commercial practice is ‘professional, friendly and easy to work with’, and is particularly experienced in the healthcare sector. The lawyers advise on NHS contracts as well as pilot schemes, partnership arrangements and business disposals. Additionally, the ‘thorough, knowledgeable and responsive’ Claire Powell also specialises in advising GP practices and healthcare franchise work.”

For help and guidance in this area, Claire can be contacted on 01206 217050 or by email at