Information security management

NHS organisations need robust information security management arrangements for the protection of their patient records and key information services, to meet the statutory requirements set out within the Data Protection Act 1998 and to satisfy their obligations under the Civil Contingencies Act 2004.

Without effective security, NHS information assets may become unreliable and untrustworthy, may not be accessible where and when needed, or may be compromised by unauthorised third parties. All NHS organisations and those who supply or make use of NHS information therefore have an obligation to ensure that there is adequate provision for the security management of the information resources that they own, control or use.

NHS information assets may consist of:

• digital or hard copy patient health records
• digital or hard copy administrative information
• digital or printed x-rays, photographs, slides and images
• digital media (for example, CD-ROMs, DVDs and USB memory sticks)
• computerised records, including those that are processed in networked, mobile or stand-alone systems
• e-mail, text and other message types

Information, whether in paper or digital form, is the lifeblood of NHS organisations because of its critical importance to NHS patient care and other related business processes.  High-quality information underpins the delivery of high-quality evidence-based healthcare and many other key service deliverables. Information has the greatest value when it is accurate, up-to-date and is accessible where and when it is needed.

Inaccurate, outdated or inaccessible information that is the result of one or more security weaknesses can quickly disrupt or devalue mission-critical processes, and these factors should be fully considered when commissioning, designing or implementing new systems. An effective information security regime, therefore, ensures that information is properly protected and is reliable available.

NHS information may be needed to support:

• patient care and continuity of care
• day-to-day business processes that underpin the delivery of care
• evidence-based clinical practice
• public health promotion and communicate emergency guidance
• sound administrative and managerial decision making, as part of the knowledge base for the NHS
• the meeting of legal requirements, including requests from patients under the provisions of the Data Protection Act or Freedom of Information Act
• clinical or other types of audit
• improvements in clinical effectiveness through research
• archival functions by taking account of the historical importance of information
• patient choice and control over treatment and services designed around patients

In April 2007 the Department of Health published the Information Security Management: NHS Code of Practice.

This is a guide to the methods and required standards of practice in the management of information security for those who work within, under contract to, or in business partnership with NHS organisations in England. Its purpose is to identify and address security management in the processing and use of NHS information and is based on current legal requirements, relevant standards and professional best practice.