NHS service standard - 9. Create a secure service which protects people's privacy

Establish the security risks, threats and legal responsibilities associated with the service, including confidentiality and privacy.

Understand how to manage risks throughout the delivery lifecycle and put robust security measures in place to protect against potential threats.

Why it's important

The NHS handles some of the most sensitive personal data. It has a legal duty to protect this information. Failing to do so would undermine public trust in the health service.

What you should do

Your team should be able to show that you:

• follow the Secure by design principles on the Government Security website
• make sure senior leaders who are accountable for security are aware of risks
• have a plan and budget to manage security during the life of the service, including responding to changes in requirements or new threats
• perform due diligence on the security of third-party software
• carry out user research to create security processes that are fit for purpose and easy to understand
• collect, process and store data securely and in a way which respects people's privacy
• maintain an assessment of security risks and mitigate threats with appropriate protections
• work with business and information risk teams to make sure the service meets security requirements and manages fraud risks
• anticipate and manage vulnerabilities, limiting opportunities for cyber attacks
• regularly test security controls
• are aware of and, if appropriate, comply with NHS specific guidance on data security and information governance
• use the NHS login and NHS identity programme, if your service needs identity assurance and authentication
• allow for a full range of privacy preferences so people can control how much information they give and share
• make it easy for users to actively make informed decisions about privacy settings, update their settings and track any changes (for example, by carers or other people who have access to their records)
• if appropriate, undertake a data protection impact assessment (DPIA) and publish a privacy policy
• have processes in place to protect the public and NHS staff, for example, if you manage user-generated content

Guidance

GOV.UK resources

• Collecting personal information from users
• Protecting your service against fraud
• Secure by design
• Securing your information
• Vulnerability and penetration testing
• Working with cookies or similar technologies

Find out more about this

• Data protection impact assessments (Information Commissioner's Office)
• Data security and information governance (NHS England)
• Data security and protection toolkit (NHS England)
• Identity verification and authentication standard for digital health and care services, DCB3051 (NHS England)
• Mitigating malicious intent with MISUSE threat modelling (IBM) – a framework for considering the risks to vulnerable users of tech-enabled abuse
• National Data Guardian for health and care (GOV.UK)
• NHS login (NHS England)
• UK General Data Protection Regulation (GDPR) guidance and resources (Information Commissioner's Office)

Related service standard points

• 15. Support a culture of care
• 16. Make your service clinically safe

Help us improve this guidance

Share insights or feedback and take part in the discussion. We use GitHub as a collaboration space. All the information on it is open to the public.

If you've gone through a service assessment or peer review, we're especially interested to hear from you.

Read more about how to feedback or share insights.

If you have any questions, get in touch with the service manual team.

Updated: April 2025