NHS service standard - 9. Respect and protect users’ confidentiality and privacy

Evaluate what data and information your service will be collecting, storing and providing.

Identify and address security threats, legal responsibilities, confidentiality and privacy issues and risks associated with the service. Consult experts where you need to.

Why it's important

The NHS handles some of the most sensitive personal data. It has a legal duty to protect this information. Failing to do so would undermine public trust in the health service.

What you should do

Your team should be able to show that you:

• collect and process users' personal information in a way that's secure and respects their privacy
• have appropriate processes in place to protect the public and NHS staff, for example, if you manage user generated content
• comply with the General Data Protection Regulation (GDPR)
• have an appropriate privacy policy in place when you launch your service
• if appropriate, undertake and publish a data protection impact assessment (DPIA)
• are aware of and, if appropriate, comply with NHS specific guidance on data security and information governance
• actively identify security and privacy threats to the service and have a robust, proportionate approach to securing information and managing fraud risks
• have a plan and budget that lets you manage security during the life of the service (for example, by responding to new threats, putting controls in place and applying security patches to software)
• use the NHS login and NHS identity programme, if your service needs identity assurance and authentication
• work with business and information risk teams (for example, senior information risk owners and information asset owners) to make sure the service meets security requirements and regulations without putting delivery at risk
• carry out appropriate vulnerability and penetration testing

Guidance

GOV.UK resources

• Collecting personal information from users
• Protecting your service against fraud
• Securing your information
• Vulnerability and penetration testing

Read more about this

• Data protection impact assessments (Information Commissioner's Office)
• Data security and information governance (NHS Digital)
• Data security and protection toolkit (NHS Digital)
• Guide to the General Data Protection Regulation (GDPR) (Information Commissioner's Office)
• Identity verification and authentication standard for digital health and care services, DCB3051 (NHS Digital)
• National Data Guardian for health and care(GOV.UK)
• NHS login

Help us improve this guidance

Share insights or feedback and take part in the discussion. We use GitHub as a collaboration space. All the information on it is open to the public.

If you've gone through a service assessment or peer review, we're especially interested to hear from you.

Read more about how to feedback or share insights.

If you have any questions, get in touch with the service manual team.

Updated: July 2021