CQC’s plans for regulation, data and technology
What is currently required?
The Data Security and Protection Toolkit (“the Toolkit”) was introduced in 2018. In its information standard, NHS England requires social care organisations with access to NHS data to use the Toolkit to measure their performance against data security and information governance requirements. These requirements are set by the Department of Health and Social Care i.e. the 10 data security standards of the National Data Guardian.
The Toolkit should be used to demonstrate good practice relating to data security and the handling of personal information. You can find out more about the Toolkit here. Providers are required to undertake a self-assessment of their compliance with the assertions and suggested evidence set out in the Toolkit. This is a contractual obligation for those operating under the NHS Standard Contract. Assertions are statements which organisations should review and confirm. Each assertion is underpinned by evidence. Certain evidence will not be required where an organisation uses “NHSmail”. Whilst only some parts of the Toolkit are mandatory, mandatory elements may change each year.
Providers should have, by now, completed and published their assessments for 2021. If this has not been done, the potential implications range from not being involved in local data sharing projects, to losing your NHS placements or being fined.
Requirements differ according to your organisation and providers should check which category they fall into. A list of four categories and what is necessary can be found here. Care homes, domiciliary providers, pharmacies, dentists and GPs are currently in Categories 3 and 4.
We previously commented on the reasons providers should use the Toolkit and our analysis can be found here. The requirements are also reflected in the CQC’s guidance “what good looks like for digital records in adult social care”, which provides some useful advice around data governance and compliance with CQC inspection criteria.
CQC assess providers on their use and security of data in the Caring and Well-led domains by asking the following questions:
C3.3: “How are people assured that information about them is treated confidentially…?”
W2.8: “How does the service satisfy itself that it has robust arrangements… in line with data security standards?”
CQC expects providers to consider how information they hold is accessed, shared and kept safe. The NHS reports to CQC about compliance with the Toolkit. Whilst it is not mandatory for providers who are not delivering care under the NHS Standard Contract, or accessing NHS data, to complete the Toolkit to demonstrate compliance with CQC standards, in its recent update, CQC confirmed that the Toolkit is one of the most effective ways of demonstrating compliance with legal and regulatory obligations regarding data and cyber security. If this presents an easy win for providers, then it is definitely worth considering.
What are CQC inspectors looking for?
The Covid-19 pandemic has made the last year a particularly challenging one for care providers. As a result, inspectors have tended to prioritise areas such infection prevention and control, meaning they may not have asked about use of the Toolkit. However, CQC has confirmed that providers should still be using it where possible.
So, as a care provider how can you comply with CQC inspection criteria? CQC has confirmed it wants to see providers focused on outcomes for people. If, for example, a new digital system was being introduced, CQC would expect a provider to answer the following questions:
- How will the system improve the quality of care, support an organisation’s objectives and deliver better outcomes for service users?
- How have staff and service users been involved in the setup of the system?
- Are appropriate levels of planning and governance are in place?
- How will information be accessed, shared and managed?
- What backup and contingency arrangements are in place?
- How will data protection and security requirements be met (including clear and robust policies on consent, privacy and equality)?
What can providers expect next?
On 28 May 2021, CQC published its new five-year strategy. One of the areas mentioned is “accelerating improvement” meaning CQC will encourage innovation and the use of technology to provide a more effective and efficient service.
CQC has confirmed that a review of its inspection framework will follow, with a view to simplifying it. It aims to have a new framework in place within the next 12 months. During its review, CQC will consider:
- What good looks like in relation to safe, well-led information management and cyber security;
- What constitutes good practice; and
- How evidence can be gathered by inspectors to assess the above.
CQC has stated that, in the future, it will have oversight of both the local authority (LA) and Integrated Care Systems (ICS). It is therefore hoping to develop consistent approaches to and standards for both regulation and LA/ICS oversight regarding the safe and effective use of data.
The Department of Health and Social Care has committed to investing funds to increase compliance with the Toolkit and delivering support across the adult social care sector by 2022.