NHS service standard - 9. Respect and protect users’ confidentiality and privacy

Evaluate what data and information your service will be collecting, storing and providing.

Identify and address security threats, legal responsibilities, confidentialty and privacy issues and risks associated with the service. Consult experts where you need to.

Why it's important

The NHS handles some of the most sensitive personal data. It has a legal duty to protect this information. Failing to do so would undermine public trust in the health service.

What you should do

Your team should be able to show that you:

  • collect and process user's personal information in a way that's secure and respects their privacy
  • have appropriate processes in place to protect the public and NHS staff, for example, if you manage user generated content
  • comply with the General Data Protection Regulation (GDPR)
  • are aware of and, if appropriate, comply with NHS specific guidance on data security and information governance
  • actively identify security and privacy threats to the service and have a robust, proportionate approach to securing information and managing fraud risks
  • have a plan and budget that lets you manage security during the life of the service (for example, by responding to new threats, putting controls in place and applying security patches to software)
  • use the NHS login and NHS identity programme, if your service needs identity assurance and authentication
  • work with business and information risk teams (for example, senior information risk owners and information asset owners) to make sure the service meets security requirements and regulations without putting delivery at risk
  • carry out appropriate vulnerability and penetration testing

Guidance

GOV.UK resources

Read more about this

Other help

Get in touch

If you’ve got a question about the NHS digital service manual or want to feedback, get in touch.

Updated: December 2019