Care Quality Commission
|Printable version||E-mail this to a friend|
CQC publishes independent review into data security breach
On 28 July 2016 CQC publicly reported a data security breach involving the loss of Disclosure and Barring Service (DBS) certificates from CQC premises in Newcastle. Following this incident and the internal Serious Incident Report, an independent, external review of the incident was commissioned.
This review – conducted by an independent security expert who interviewed CQC staff, inspected CQC premises and reviewed documentation – has now been published.
The purpose of the review was to establish how the data loss incident occurred; to review the organisation’s response to the incident; to examine relevant information security policies and procedures; and to make recommendations on how these could be improved.
The review agrees with the conclusion of the internal CQC Serious Incident Report that the missing documents are unlikely ever to be recovered and that it is unlikely that the loss occurred as a result of theft.
Failure to recognise information risk, non-compliance with CQC’s own information security policy and a failure to follow and manage the project plan for the office refurbishment project during which the loss occurred are all identified as factors that contributed to the data breach. The review concludes that, although failings on the part of contractors involved in the office refurbishment were also a contributing factor, the contractors cannot be held responsible for the breach.
The overall information security architecture of CQC was found to be’ fundamentally sound’. However, information security policies are only robust if all staff adhere to them. The review has recommended that work is done to ensure that all CQC staff understand best practice on information security and reflect this practice in their everyday behaviours.
The review makes six recommendations in total. The first five of these relate to information risk management, incident response management and supply chain risk management, while the sixth is that CQC should embark on a programme of security culture change in order to become an exemplary information security organisation. All recommendations are being followed up and incorporated into a wider programme of work to embed information security and governance into CQC culture; this will include working with other organisations to identify good practice, staff training and organisational spot checks.
Alongside the review, CQC is publishing a response that sets out the actions it will take to ensure that these recommendations are addressed. The organisation is committed to ensuring that every possible step is taken to guard against any future data security breaches.
Latest News from
Care Quality Commission
CQC inspectors publish reports on 14 dental practices in England10/01/2017 14:20:00
The Care Quality Commission published reports on the quality of care provided by 14 dental practices in England in the past week.
CQC announces new partnerships with charities and patient groups10/01/2017 09:20:00
We've launched new partnerships with a number of national charities to ensure that the views and experiences of people who use services always remain at the heart of our regulation of health and social care in England.
CQC National Professional Advisor, Rachel Griffiths awarded MBE03/01/2017 14:15:00
The Care Quality Commission's Mental Capacity Act Lead, Rachel Griffiths, has been awarded an MBE for services to vulnerable people in the New Year's Honours list.
CQC and HMI Prisons to set out how they will work together to inspect prisons in England23/12/2016 13:15:00
A new agreement has been formalised between the Care Quality Commission (CQC) and HM Inspectorate of Prisons (HMi prisons), to help facilitate how we will continue to work together to inspect health and care services in prisons.
CQC sets out updated registration guidance for providers that support people with learning disability services21/12/2016 15:20:00
As part of the consultation for our next phase of regulation, we are seeking views on draft updated guidance for providers registering to care for people with learning disabilities.