Information Security Management

NHS organisations need robust information security management arrangements for the protection of their patient records and key information services, to meet the statutory requirements set out within the Data Protection Act 1998 and to satisfy their obligations under the Civil Contingencies Act 2004.

Without effective security, NHS information assets may become unreliable and untrustworthy, may not be accessible where and when needed, or may be compromised by unauthorised third parties. All NHS organisations and those who supply or make use of NHS information therefore have an obligation to ensure that there is adequate provision for the security management of the information resources that they own, control or use.

NHS information assets may consist of:

• digital or hard copy patient health records;
• digital or hard copy adminstrative information;
• digital or printed x-rays, photographs, slides and images;
• digital media (for example, CD-ROMs, DVDs and USB memory sticks);
• computerised records, including those that are processed in networked, mobile or stand-alone systems;
• e-mail, text and other message types.

Information, whether in paper or digital form, is the lifeblood of NHS organisations because of its crtical importance to NHS patient care and other related business processes. High-quality information underpins the delivery of high-quality evidence-based healthcare and many other key service deliverables. Information has the greatest value when it is accurate, up-to-date and is accessible where and when it is needed. Inaccurate, outdated or inaccessible information that is the result of one or more security weaknesses can quickly disrupt or devalue mission-critical processes, and these factors should be fully considered when commissioning , designing or implementing new systems. An effective information security regime, therefore, ensures that information is properly protected and is reliable available. NHS information may be needed to:

• support patient care and continuity of care;
• support day-to-day business processes that underpin the delivery of care;
• support evidence-based clinical practice;
• support public health promotion and communicate emergency guidance;
• support sound adminstrative and managerial decision making, as part of the knowledge base for the NHS;
• meet legal requirements, including requests from patients under the provisions of the Data Protection Act or Freedom of Information Act;
• assist clinical or othertypes of audit;
• support improvements in clinical effectiveness through research;
• support archival functions by taking account of the historical importance of information;
• support patient choice and control over treatment and services designed around patients.

The Department of Health in April 2007 published Information Security Management: NHS Code of Practice. This guide to the methods and required standards of practice in the management of information security for those who work within, under contract to, or in business partnership with NHS organisations in England. Its purpose is to identify and address security managemnt in the processing and use of NHS information and is based on current legal requirements, relevant standards and professional best practice.

This page was last modified on Fri May 07 2010