NHS service standard - 9. Respect and protect users’ confidentiality and privacy

Evaluate what data and information your service will be collecting, storing and providing.

Identify and address security threats, legal responsibilities, confidentiality and privacy issues and risks associated with the service. Consult experts where you need to.

Why it's important

The NHS handles some of the most sensitive personal data. It has a legal duty to protect this information. Failing to do so would undermine public trust in the health service.

What you should do

Your team should be able to show that you:

  • collect and process users' personal information in a way that's secure and respects their privacy
  • have appropriate processes in place to protect the public and NHS staff, for example, if you manage user generated content
  • comply with the General Data Protection Regulation (GDPR)
  • have an appropriate privacy policy in place when you launch your service
  • if appropriate, undertake and publish a data protection impact assessment (DPIA)
  • are aware of and, if appropriate, comply with NHS specific guidance on data security and information governance
  • actively identify security and privacy threats to the service and have a robust, proportionate approach to securing information and managing fraud risks
  • have a plan and budget that lets you manage security during the life of the service (for example, by responding to new threats, putting controls in place and applying security patches to software)
  • use the NHS login and NHS identity programme, if your service needs identity assurance and authentication
  • work with business and information risk teams (for example, senior information risk owners and information asset owners) to make sure the service meets security requirements and regulations without putting delivery at risk
  • carry out appropriate vulnerability and penetration testing

Guidance

GOV.UK resources

Read more about this

Would you like to contribute to the NHS service standard?

Please let us know how this has worked for you and, in particular, if you have gone through a GDS or NHSX service assessment or peer review. This will help us improve it for everyone.

Before you start, you will need a GitHub account. It's an open forum where we collect feedback.

If you have any questions, you can message us on Slack. You will need a Slack account if you do not have one. Or you can contact us by email.

Updated: July 2021