Friday 23 Sep 2016 @ 13:10
Care Quality Commission
Printable version

CQC publishes independent review into data security breach

On 28 July 2016 CQC publicly reported a data security breach involving the loss of Disclosure and Barring Service (DBS) certificates from CQC premises in Newcastle. Following this incident and the internal Serious Incident Report, an independent, external review of the incident was commissioned.

This review – conducted by an independent security expert who interviewed CQC staff, inspected CQC premises and reviewed documentation – has now been published.

The purpose of the review was to establish how the data loss incident occurred; to review the organisation’s response to the incident; to examine relevant information security policies and procedures; and to make recommendations on how these could be improved.

The review agrees with the conclusion of the internal CQC Serious Incident Report that the missing documents are unlikely ever to be recovered and that it is unlikely that the loss occurred as a result of theft.

Failure to recognise information risk, non-compliance with CQC’s own information security policy and a failure to follow and manage the project plan for the office refurbishment project during which the loss occurred are all identified as factors that contributed to the data breach. The review concludes that, although failings on the part of contractors involved in the office refurbishment were also a contributing factor, the contractors cannot be held responsible for the breach.

The overall information security architecture of CQC was found to be’ fundamentally sound’. However, information security policies are only robust if all staff adhere to them. The review has recommended that work is done to ensure that all CQC staff understand best practice on information security and reflect this practice in their everyday behaviours.

The review makes six recommendations in total. The first five of these relate to information risk management, incident response management and supply chain risk management, while the sixth is that CQC should embark on a programme of security culture change in order to become an exemplary information security organisation. All recommendations are being followed up and incorporated into a wider programme of work to embed information security and governance into CQC culture; this will include working with other organisations to identify good practice, staff training and organisational spot checks.

Alongside the review, CQC is publishing a response that sets out the actions it will take to ensure that these recommendations are addressed. The organisation is committed to ensuring that every possible step is taken to guard against any future data security breaches.

Information security review – External review report PDF 2.17 MB

Information security review – CQC response PDF 128.46 KB

Read our initial statement on the loss of the DBS documentation and the internal incident report.

 

Channel website: http://www.cqc.org.uk/

Share this article

Latest News from
Care Quality Commission

New guidance: Assessing the well-led key question for NHS trusts

09/04/2024 14:05:00

Good leadership has a significant impact on staff morale and patient experiences of care. Our guidance on how we will assess the well-led key question aims to support NHS trusts to understand what good leadership looks like.

Integrated care system assessments: update April 2024

05/04/2024 13:20:00

The Health and Care Act 2022 gives us new responsibilities to assess whether integrated care systems (ICSs) are meeting the needs of their local populations.

Final guidance on visiting and accompanying in care homes, hospitals and hospices

04/04/2024 11:25:00

Following consultation earlier this year, we have now published final guidance to help providers understand and meet the new fundamental standard on visiting and accompanying in care homes, hospitals, and hospices.

Joint statement on Martha's Rule from the NMC, GMC and CQC

03/04/2024 12:20:00

A joint statement from the Nursing and Midwifery Council, General Medical Council and Care Quality Commission, on our support for the implementation of Martha's Rule by NHS England. 

Joint statement on Martha's Rule from the NMC, GMC and CQC

02/04/2024 16:25:00

A joint statement from the Nursing and Midwifery Council, General Medical Council and Care Quality Commission, on our support for the implementation of Martha's Rule by NHS England. 

Tell us what your maternity care was like for you in 2024

06/03/2024 13:05:00

CQC's 2024 national maternity survey is happening soon. The survey is carried out every year. It asks women and other people who have used maternity services about their experience of maternity care.

Our new assessment approach: Assessing the well-led key question for NHS trusts

04/03/2024 12:20:00

As a part of introducing our new approach, we plan to start work on well-led assessments for NHS trusts which have been developed in collaboration with NHS England.

Working with National Voices and the Point of Care Foundation on Regulators’ Pioneer Fund project

21/02/2024 12:05:00

In September 2023, the Regulators’ Pioneer Fund awarded us a grant of £635,394.

National survey shows some improvement in maternity experiences, but help not always available when needed

09/02/2024 16:05:00

Findings from a survey of more than 25,500 women and people who used NHS maternity services in 2023 indicate some aspects of care have improved in the past year, but many maternity care experiences are still less positive than they were five years ago.