9. Respect and protect users’ confidentiality and privacy
Evaluate what data and information your service will be collecting, storing and providing.
Identify and address security threats, legal responsibilities, confidentiality and privacy issues and risks associated with the service. Consult experts where you need to.
Why it's important
The NHS handles some of the most sensitive personal data. It has a legal duty to protect this information. Failing to do so would undermine public trust in the health service.
What you should do
Your team should be able to show that you:
- collect and process user's personal information in a way that's secure and respects their privacy
- have appropriate processes in place to protect the public and NHS staff, for example, if you manage user generated content
- comply with the General Data Protection Regulation (GDPR)
- are aware of and, if appropriate, comply with NHS specific guidance on data security and information governance
- actively identify security and privacy threats to the service and have a robust, proportionate approach to securing information and managing fraud risks
- have a plan and budget that lets you manage security during the life of the service (for example, by responding to new threats, putting controls in place and applying security patches to software)
- use the NHS login and NHS identity programme, if your service needs identity assurance and authentication
- work with business and information risk teams (for example, senior information risk owners and information asset owners) to make sure the service meets security requirements and regulations without putting delivery at risk
- carry out appropriate vulnerability and penetration testing
- Collecting personal information from users
- Protecting your service against fraud
- Securing your information
- Vulnerability and penetration testing
Read more about this
- Data security and information governance (NHS Digital)
- Data security and protection toolkit (NHS Digital)
- Guide to the General Data Protection Regulation (GDPR) (Information Commissioner's Office)
- Identity verification and authentication standard for digital health and care services, DCB3051 (NHS Digital)
- National Data Guardian for health and care(GOV.UK)
- NHS login
Would you like to contribute to the NHS service standard?
Please let us know how this has worked for you and, in particular, if you have gone through a GDS or NHSX service assessment or peer review. This will help us improve it for everyone.
Before you start, you will need a GitHub account. It's an open forum where we collect feedback.