We have set up a helpline for the duration of the Covid-19 crisis. Call us on 0208 133 3430 (Mon-Fri 9-5) or email [email protected] for free support.

CQC regulation and data protection

CQC regulation and data protection

David James, Head of Adult Social Care Policy at the Care Quality Commission discusses current and future plans for regulation and data and technology.

Access to care records, and the use of data and technology are fundamental to health and social care delivery, therefore the Care Quality Commission needs to assess how safely they are used, and how well-led care providers are in terms of information governance.

As providers will know, our current assessment framework is based around five key questions, key lines of enquiry, ratings, legal standards and fundamental standards. The use and security of records and data is already covered within these. In particular, question C3.3 from the Key Lines of Enquiry (KLOE) asks: “How are people assured that information about them is treated confidentially…?” And question W2.8 asks: “How does the service satisfy itself that it has robust arrangements… in line with data security standards?”

Our inspectors do encourage care providers to use the officially recognised Data Security and Protection Toolkit (DSPT) to assess their own data and cyber security arrangements – and provide evidence that they are complying with legal and regulatory requirements

At present, it is not mandatory for care provider to complete the toolkit in order to demonstrate compliance with CQC standards. However, it is certainly one of the most effective and efficient ways of demonstrating compliance to our inspectors and we do expect providers to consider how information is accessed and shared by others and kept safe.

And of course the current DSPT information standard says “All organisations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.” This means reaching Standards Met opens up access to take part in local shared records projects where these projects are available. Our own interim guidance on What good looks like for digital records in adult social care also reflects the fact that all records should comply with the DSPT if providers are accessing NHS patient data and system.

Given the particularly challenging year that care providers have faced during the COVID-19 pandemic, our inspectors have, understandably, been focused on other areas – especially infection control. So although inspectors many not ask for evidence that a care provider has completed the Data Security and Protection Toolkit, we would definitely encourage providers to use it.

What CQC inspectors look for

We want to see that providers focus on outcomes, involve the right people, manage change, and understand and meet relevant standards and regulations. So if, for example a care provider was introducing a new data or digital system, they should be able to describe:

  • how the system will improve the quality of care they provide, support their organisation’s objectives and deliver better outcomes for people who use their service
  • how they have involved staff and people who use services in set up
  • the appropriate levels of planning and governance in place
  • how information will be accessed, shared and managed
  • what backup and contingency arrangements are in place
  • how they are meeting data protection and data security requirements. They should have clear and robust policies about consent, privacy and equality.

What’s next?

We have just published our new five year strategy which has a strong focus on innovation and improvement. This will be followed by a review of our inspection framework which will consider all areas of inspection including: what good looks like in relation to safe, well-led information management and cyber security; what constitutes good practice; and how evidence can be gathered.

We are keen to work with care providers – and the wider system – through the course of that review. Data protection and cyber security is not just an issue for care providers. It is also an important issue for health and care system leaders and commissioners. In future, CQC will have a role in both local authority and Integrated Care System (ICS) oversight. One of our ambitions is to simplify our inspection framework and to apply the same standards to all activities including provider regulation, LA and ICS oversight. We are keen to develop consistent approaches across health and social care – including around the safe and effective use of data.

We aim to have the new framework in place within 12 months.

To find out more and keep up to date on CQC developments, register for CQC updates.

Contact [email protected]

Support on data protection and cyber security

Access free support from the Better Security, Better Care programme and find out more about the Data Security and Protection Toolkit.

Back to News