We use cookies to track user visits on this website but all data collected is anonymous and is used only for the purpose of improving the site. By browsing our site you agree to our use of cookies. You will only see this message once.

Find out more
Yorkshire Ambulance Service NHS Trust Header Banner

Information Security Management

NHS organisations have to meet the statutory requirements set out in the Data Protection Act 1998, and must satisfy their obligations outlined in the Civil Contingencies Act 2004. This is to ensure the protection of patient records and key information services. Robust information management therefore needs to be in place to ensure these things happen.

Without effective security, NHS information assets may become unreliable and untrustworthy, may not be accessible where and when needed, or may be compromised by unauthorised third parties. All NHS organisations (and those who supply or make use of NHS information) therefore have an obligation to ensure that there is adequate security management of the information resources that they own, control or use.

NHS information assets may consist of:

  • digital or hard copy patient health records
  • digital or hard copy administrative information
  • digital media (for example, CD ROMs, DVDs and USB memory sticks)
  • computerised records, including those that are processed in networked, mobile or stand-alone systems
  • email, text and other message types.

Information, whether in paper or digital form, is the lifeblood of NHS organisations and is critically important in NHS patient care and other related business processes. High-quality information underpins the delivery of high-quality evidence-based healthcare and many other key service deliverables.

Information has the greatest value when it is accurate, up-to-date and is accessible where and when it is needed. Inaccurate, outdated or inaccessible information can easily disrupt or devalue mission-critical processes. These factors should be fully considered when commissioning, designing or implementing new systems. An effective information security regime ensures that information is properly protected and is reliable and available. NHS information may be needed to:

  • support patient care and continuity of care
  • support day-to-day business processes that underpin the delivery of care
  • support evidence-based clinical practice
  • support public health promotion and communicate emergency guidance
  • support sound administrative and managerial decision-making, as part of the knowledge base for the NHS
  • meet legal requirements, including requests from patients under the provisions of the Data Protection Act or Freedom of Information Act
  • assist clinical or other types of audit
  • support improvements in clinical effectiveness through research
  • support archival functions by taking into account the historical importance of information
  • support patient choice and control over treatment and services designed around patients.

The Department of Health in April 2007 published Information Security Management: NHS Code of Practice. This is a guide to the methods and required standards of practice in the management of information security for those who work within (or are under contract to or in business partnership with) NHS organisations in England. Its purpose is to identify and address security management in the processing and use of NHS information and is based on current legal requirements, relevant standards and professional best practice.