• Data guardians and teams “scoring down incidents” to suggest security is better than it is
  • New toolkit in development will help trusts “meet the highest possible levels of data security”
  • ICO says it needs to address “current concerns around robustness, reliability and inconsistency”

NHS Digital will relaunch a key part of the NHS’s data governance system, amid criticism that trusts are using the informaton governance toolkit to “game” their results by exploiting the current self-assessment system.

A new version of the toolkit will be launched in pilot phases in 2017.



The Caldicott review criticised the self-assessment nature of the toolkit

The decision to improve the toolkit has been welcomed by senior information officers, who are concerned some data guardians and senior teams at trusts are “scoring down incidents” to suggest their organisations are more secure.

Cyber security has become a top priority for trusts after a cyber attack led to three days of cancelled operations and appointments at North Lincolnshire and Goole Foundation Trust.

A senior source in information governance told HSJ that at some trusts data guardians and senior teams were using the toolkit to deliberately under-report breaches to avoid reputational damage and fines.

They said: “An awful lot of stuff doesn’t come to the Information Commissioner’ Office’s attention… I think there is a risk based analysis by senior teams to say: ‘Is the ICO going to find out?’ Then a corporate decision is made to protect the organisation.”

Concerns about the effectiveness of the toolkit were raised in Dame Fiona Caldicott’s third review into information governance and data security in the NHS in July, which said the “self-assessment nature of the information governance toolkit causes some to doubt its reliability”.

This concern was echoed by the ICO response to the review, which referred to the toolkit as a “tick box exercise” with “potential for unreliable and inconsistent results due to its focus on self-assessment”.

Trusts currently decide whether to report a serious incident requiring investigation by using a matrix to determine the data breach level.

The concern is that the toolkit’s scoring system is open to interpretation, Barry Moult, head of information governance and health records at Colchester Hospital University Foundation Trust, said.

Variation in incident reporting can leave some trusts exposed to sanctions from the ICO and the Care Quality Commission, while other trusts “stay out of the spotlight”, Mr Moult said.

“A trust that has already reported data breaches could be tempted not to report a further breach because of a sanction or fine from the ICO,” he added.

Mr Moult’s team is one of several to have discussed alternative designs of the toolkit with NHS Digital as part of a country-wide consultation.

He told HSJ his proposed model would be much less open to interpretation.

NHS Digital issued a statement saying staff wereworking “hand in hand with stakeholders, including NHS organisations and the ICO” on the redevelopment of the toolkit.

“The toolkit is currently being redeveloped to ensure it is fit for purpose in an increasingly digital world and that it provides health and care organisations with the support they need to meet the highest possible levels of data security,” it said.

The ICO said it would “welcome a redesigned toolkit to help embed the new security standards… if the redesign of the information governance toolkit addresses current concerns around robustness, reliability and inconsistency, then it could be a beneficial tool in ensuring data security”.