• Independent security review says July’s loss of 500 people’s data should be a “wake-up call”
  • “Mismatch” between CQC policy and staff behaviour
  • CQC considering second review next year to check on progress of organisational change

An independent review has told the Care Quality Commission it needs a “culture shift” across the organisation if its data security procedures are to be an example to the NHS.

The recommendation was made in a review of security procedures commissioned by the CQC following its loss of almost 500 people’s personal data in July.

David Behan

David Behan

David Behan called the loss of 500 people’s data a ‘never event’

The CQC lost hundreds of disclosure and barring service certificates after a locked filing cabinet was wrongly marked for removal and destruction during refurbishment of the regulator’s Newcastle office.

The review said that in light of the CQC’s Safe data, safe care report that urged the NHS to tighten up its security procedures, it was “imperative” that the CQC implemented “culture change across the organisation from top to bottom”. The report also urged the regulator to view its recent data loss incident as a “wake-up call”.

The review found a “mismatch” between CQC information security policy and “the actual behaviours of some CQC staff”. It added that the policy’s effectiveness was “undermined” by CQC management’s “tolerance” of non-compliance.

Speaking at yesterday’s CQC’s board meeting, chief executive David Behan said it accepted all the report’s recommendations, and the challenge to the CQC is “can we create the culture in this organisation that we are encouraging others to create?”

He said the CQC “will probably” invite the report’s author, cyber security expert Chris Hurran, to do a further review in 12 months’ time to check that the CQC has made “progress” in implementing the recommendations.

Describing the data breach as a “never event”, Mr Behan said the regulator will implement managerial spot checks on whether information security policy is being adhered to, as well as developing a training programme and identifying good practice. The CQC will write to all the people whose personal data was lost to update them on developments.

Non-executive director Sir Robert Francis QC asked if the regulator should “reflect… on whether there is a wider mismatch or not between the policies that emanate from this board and the executive team and what is actually happening on the ground, as that is what we look for when we inspect a hospital”. He added that it was “probably not only in this field” that such a mismatch was happening.

The report said staff described the incident as a “creeping crisis”.

The review questioned why the crisis management team was never “stood up” and how quickly the CQC called the removal company to try to regain the material. It said that there was “no certainty that other sensitive documents” had also not been lost.

However, it accepted that although theft of the data could not be “ruled out” it was a “very low likelihood”. It also found that initial plans for CQC staff to supervise the furniture removal were “cancelled on cost savings grounds”.