Health and social care - data strategy: 2024 update - progress and priorities

Protecting and Sharing Information

We want a trusted, secure health & care ecosystem where data is shared, managed, and stored securely, consistently, efficiently, and transparently.

Background

The protection and sharing of health and social care information is managed by Information Governance and Cyber Security processes. This is crucial to ensure that data is handled safely, securely and that privacy is upheld. The Data Strategy acknowledges that Information Governance processes need to be streamlined at a national and local level (whilst respecting the agency of organisations) to make it easier to manage, share and safeguard the data that health and social care organisations hold.

What we have achieved so far

In our first year we have:

• Engagement. Extensive engagement was undertaken with stakeholders across the health and social care sector to help provide national support in further raising awareness and common understanding of Information Governance and its challenges and opportunities. This engagement has enabled the Scottish Government to identify and consult with key stakeholders to provide the opportunity to collaborate, support and co-produce on key deliverables. As a result, objectives have been clarified and a clear plan for progressing the various workstreams under the National Information Governance Plan has been developed.
• Streamlined Information Governance. Collaborative working is underway between the Scottish Government and COSLA to establish the Information Governance processes that are in use across Local Government to support the further development of consistent approaches to Information Governance. The Society of Local Authority Lawyers and Administrators in Scotland have set up a Sub-Group to feed into this work to help the development, implementation and management of streamlined Information Governance processes and tools that can be used across the health and social care sector. It is intended that this streamlined approach to Information Governance will be achieved through delivery of a Code of Practice.
• Information Governance Competency Framework. The first phase of the Information Governance Competency Framework has been developed. The core Information Governance roles are in the process of being made available online for staff within the health and social care sector to access. This framework sets out the roles, responsibilities and skills required from those involved in the governance, assurance or management of data and digital technologies to be effective in their roles and gain a clear understanding of career pathways, training, continued professional development and accreditation.
• Tools and Resources. We are continuing to invest in national tools for Information Governance tasks and processes and continue to develop sector-specific national Information Governance related policy and guidelines to help with compliance and continual improvement. We are scaling up what works well in Information Governance, sharing best practice/guidance across the ecosystem to reduce duplication of effort and improve efficiencies. The following resources have been published:
  • NHS Scotland Code of Practice: Protecting Patients Confidentiality
  • Artificial Intelligence Validation Framework
  • Refresh of Scottish Information Sharing Toolkit
  • Refresh of Intra-NHS ISA
• Governance Forums. We championed the re-establishment of the SIRO and Caldicot Guardian forums and will continue to do so into 2024-25. This activity has brought together key resources post pandemic, increasing their individual and collective ability to tackle key issues, recognise and respond to challenges and collaborate on opportunities for improvements.
• Cyber Security. The Data Strategy committed to developing a cyber security strategy for health and social care. Rather than develop a strategy for cyber security, the decision was taken to align with existing national strategies and frameworks on cyber security and work is underway in collaboration with the Cyber Centre of Excellence to develop an action plan and roadmap for cyber security. Developing a Digital Health and Care Cyber Security Action plan that aligns with the Strategic Framework for a Cyber Resilient Scotland, the Digital Health and Care Strategy and the Health and Social Care: Data Strategy will improve organisational efficiency and effectiveness by clarifying roles, setting priorities, and aligning resources with objectives. Additionally, stakeholders will have confidence that efforts are coordinated and purposeful, which builds credibility and transparency.
• Cyber Centre of Excellence (CCoE) - We continue to drive service maturity and capabilities of the Cyber Centre of Excellence through delivery and growth of key enablement pillars and underpinning services. The CCoE currently supports health organisations in meeting the rapidly growing cyber challenge and is the focal point for cyber defence and incident response on a national scale. The CCoE works closely with strategic partners, such as Police Scotland, the Scottish Cyber Crime Co-Ordination Centre (SC3) and Cyber and Fraud Centre Scotland to minimise recovery time for critical services and to promote regulatory compliance and privacy and security by design in all new national medical systems.

How this helps to achieve our vision

There are many examples of good approaches being taken to safely manage and share data across health and social care, however we know there are still examples where data could have been beneficially shared but was not. That is why we are continuing our National Information Governance Plan to streamline the Information Governance processes that are in place. By engaging with stakeholders and working collaboratively across the health and social care sector, we have been able to begin to identify priorities with the aim of developing a more streamlined model of Information Governance that meets the needs of all users across the sector. It is critical that staff understand their roles and responsibilities in relation to Information Governance if we want to store and share data securely and consistently. That is why, alongside discovery work on our long-term ambitions, we prioritised setting out roles and responsibilities in the Information Governance Competency Framework and publishing tools and resources that will support staff to better understand Information Governance. We believe these actions are crucial to empower individuals to share the right data with the right person when it is appropriate to do so, ensuring data is used to deliver the best care possible.

What’s next for 2024-25?

Our priority for 2024-25 is to:

• Engagement. We will continue to engage with stakeholders to co-produce a more balanced Information Governance model across health and social care, at the national, regional, and local levels, resulting in more joined up processes, improving compliance and increasing operational efficiencies. In addition, work will continue to prioritise and progress on key deliverables under the National Information Governance Plan.
• Code of Practice. Work will be undertaken to develop the core elements of an Information Governance Framework that strengthens stakeholder and public trust and speeds up Information Governance and assurance processes by helping stakeholders to discharge their duties. We will develop and test out tools and best practice approaches to support implementation of the Code of Practice and conduct user testing with stakeholders to ensure that the Code of Practice can be adopted effectively. The Code will provide a consistent Information Governance framework and streamlined arrangements that will help the health and care sector comply with the UK GDPR, as well as other requirements (e.g. NIS regulations) in a practical, transparent, and cost-effective way. It is intended that the code will help to remove data sharing barriers through increased confidence of good practice, greater transparency, and elevated trust among stakeholders and with the public. The Code will support the operation and delivery of Information Governance practices at pace.
• Tooling and Resources. We will continue to develop, update, review and publish appropriate tooling and resources that help to support stakeholders across the sector, promoting collaboration and removing duplication of effort and unwarranted local variation in the application of guidance and tools where possible. We aspire to increase efficiencies whilst ensuring due diligence and compliance remains a priority.
• Information Governance Competency Framework. We will further develop the Information Governance competency framework to expand on the roles already delivered through 2023-24, ensuring staff have access to fit for purpose development resources and pathways.
• Information Governance Maturity Pilot. Information Governance maturity pilots will take place to identify standardised approaches to continuously improve Information Governance practices and baseline maturity levels across the sector. The longer-term aspiration is that the maturity level will be monitored through a Code of Practice monitoring body, providing assurance across the sector, which will enhance trust and promote more efficient processes, including access to data, while remaining compliant with applicable laws and regulations.
• Cyber Security. We will continue to enhance our cyber security tools and responses and actively promote security controls and regulatory requirements through the Cyber Centre of Excellence and the work of the Scottish Health Competent Authority (SHCA). The SHCA will continue to assess annually the cyber resilience practices of all NHS Scotland Health Boards. We will use the findings from the yearly audits to set strategic direction, with a focus on mitigating practices for the areas of greatest risk.

We will focus on the implementation of the Cyber Security roadmap and action plan, working closely with the Cyber Centre of Excellence to expedite growth and resulting resilience.