Information Governance, Assurance and Cyber Security
People expect their health and care information to be available to them, and to those responsible for helping them, when and where they need it. At the same time they want assurance that their personal information is being handled appropriately, safely, securely, and in an approved and controlled way.
We heard consistently that there needs to be a national approach to information governance in order to address, amongst other issues, inconsistencies in decision making about appropriate sharing of information, and misunderstandings and myths around existing legislation – which can impede the effective delivery of care, but also the timely introduction of new models of care, research and innovation. The Health and Sport Committee, as well as a significant number of other stakeholders, strongly emphasised the need to review how information governance could be considered at a national level, find more efficient ways to appropriately share information, and ensure there is a greater understanding of the law.
We recognise that people should have appropriate choices around how they can access and manage their health and care information, and we need to maintain trust that their information is used in a manner consistent with the law and with their expectations. A more transparent and informative picture is needed so people understand the importance of the use of information in areas of wider public or societal benefit such as research into new treatments or to develop learning and knowledge to improve public health.
By 2020, we will have in place clear arrangements to deliver a simplified and consistent national approach for Information Assurance which will take into account the different needs of users and citizens, and provide clarity around information sharing across health and care.
For this to be achieved, we will:
- Establish, through public involvement and professional advice, a clear national approach, consistent with the law, including the General Data Protection Regulation ( GDPR), which provides clarity around the required information assurances needed for different uses of health and care information, and appropriate choices for citizens about how their information will be used.
- Review information governance boards and groups currently in place with a view to streamlining the landscape, reducing unnecessary complexity and developing a national approach to assurance and cyber security.
- Work with health and care organisations to continually improve the security of how they handle information and ensure that this reflects specific standards e.g., cyber essentials and appropriate ISO 27001 standards.
- Agree and publish clear information for the public, front-line professionals, carers, the research, development and innovation communities about the use of information and the basis on which information may or should be shared.
- Work with public sector initiatives, e.g., the Identity Assurance Programme, to ensure that we encompass a consistent approach across public services in the use of information.