National Data Guardian panel focuses on DSPT, cyber assessment framework and national data opt-out reform

The national data guardian panel met recently, to discuss updates on the data security and protection toolkit (DSPT), cyber assessment framework and national data opt-out reform.

With the NHS England and Department of Health and Social Care plan to implement the cyber assessment framework within the DSPT, the panel discussed how the framework aims to ‘build upon the success’ of the national data guardian’s ten data security standards. They also noted a proposal for a phased withdrawal of these standards, supported by the adoption of minimum expectations set by the new framework, which they noted to be “more robust or at least as stringent as those currently set through the DSPT”.

The panel discussed that moving to an outcomes-based model could support decision making, move away from a tick box compliance exercise and in result help measure and mitigate risks. It was noted that “during the review process that led to the 10 NDG security standards, it was found that data breaches were caused by people, processes and technology, and strong leadership was essential to address these issues”.

The panel raised stakeholder communication as essential for the cyber assessment framework and encouraged the national data guardian to issue a public statement jointly with NHSE and DHSC colleagues, with the aim of explaining why the national data guardian is supporting the adoption of the information standard aligned with the new framework. Additionally, the panel raised the view that it’s “crucial to make it clear that the change is an ‘evolution’ of the existing standards and not a ‘withdrawal’ of the NDG standard”.

Discussion moved on to explore plans to reform the national data opt-out (NDOO), with the DHSC data policy team confirming that there is a large-scale public engagement exercise planned for later this year, that will be used to engage members of the public on this subject. NHSE and the DHSC are to establish a steering group to advise on it. The panel noted concerns that the objective of the public engagement exercise (as currently drafted) “may not be clear or well-defined enough to prompt useful ‘actionable’ feedback from participants” and suggested that the scope should be narrowed, or alternatively more clearly defined options for opt-out reform could be presented to the public to be discussed. Acknowledging these points, the data policy team confirmed that there will be further engagement on the exercise as work progresses, with this discussion forming an “early opportunity for input ahead of the design phase”.

The other main topic discussed during the meeting was the reasonable expectations data project, with the project manager in the Office of the National Data Guardian noting that the co-design phase has exceeded the initial timeline expectations; however, this extension has been deemed “essential to ensure the accuracy of the materials with the partner programmes before advancing to the public deliberation phases”. Communication materials are currently under development, with the materials to be shared with the wider project team for review.

The minutes from the meeting can be found in full here.

Last September, we shared a call to action emphasising the duty of health and social care staff to share information on patient care, published by NHSE and originating from national data guardian Dr Nicola Byrne, information commissioner John Edwards and chief medical officer for England Professor Chris Witty.