Health and social care: data strategy

Scotland’s first data strategy for health and social care, setting out how we will work together in transforming the way that people access their own data to improve health and wellbeing; and how care is delivered through improvements to our systems.


Protecting and Sharing Data

We want a trusted, secure health and care ecosystem where data is shared, managed and stored securely, consistently, efficiently and transparently.

Background

Demonstrating our ability to keep health and social care data safe and secure is crucial to public confidence and effective delivery of care, whilst ensuring relevant data is readily accessible to those who need it for clearly defined purposes.

The protection and sharing of data is managed by information governance and cyber security processes and procedures – these processes are vital to both upholding privacy and reducing the risk of data being accessed by the wrong people. Much of this work is governed by legislation, such as the Data Protection Act and the UK General Data Protection Regulation (GDRP), and is focused on ensuring appropriate safeguards exist to enable good use of data to benefit delivery of integrated care and improved outcomes for the people of Scotland.

Protecting data is partly about being constantly vigilant against advanced and persistent threats from cyber-attacks – all organisations must already actively implement effective security measures and controls – and partly about ensuring all staff understand their personal responsibilities on the safe handling and protection of data. The safe handling extends to appropriate sharing of information: the principle of ‘do no harm’ extends to the management of data, both in respect of ensuring people are not harmed via the careless or insecure use of data, or that harm occurs because our systems and people did not use or share data effectively and appropriately for individual or public benefit.

Our health and social care sector safely manages, secures and shares millions of pieces of data every day, and successfully defends against cyber attacks on an ongoing basis. There are many examples of good approaches being taken to the sharing of data, but equally many examples of where data has not been shared where it should have been, or delays in getting approval to share data.

The Scottish Parliament Health, Social Care and Sport Committee and key stakeholders across health and social care have strongly emphasised the need to review how the processes in place to protect and share data could be streamlined at a national and local level. More efficient and consistent ways need to be found to assess appropriately how fair, lawful, and secure proposals for digital and data-driven innovation are, and how information and privacy risks can be better managed with greater transparency and public engagement, highlighting the benefits.

Where we are now

The diverse nature of health and social care delivery across Scotland – with several thousand different legal organisations (from Health Boards to care homes), makes the protection and sharing of data inherently complex. Each organisation is legally responsible for how they manage and safeguard the data they either control directly, or process on behalf of others. This complexity, and the recognised need to support change, is highlighted in the “Review of the Information Governance Landscape across Health and Social Care in Scotland” published in April 2022. This describes the current data protection landscape across health and social care in Scotland, and made a series of evidenced-based recommendations for the improvement of the sharing and protection of information – recommendations that are being progressed through this Data Strategy.

In addition, a cyber resilience framework exists across the public sector that is designed to ensure appropriate levels of cyber resilience are in place. The NHS is subject to additional regulatory controls (the Security of Network and Information Systems (NIS) Regulations) that mandates an approach to managing security of data – and all Health Boards are audited annually against the cyber resilience framework to ensure their systems and procedures are robust and the risk from attack is minimised.

In social care, the Digital Office for Scottish Local Government has an established Security Accreditation Scheme that allows suppliers of Digital Telecare equipment to prove to telecare provides that their business processes and the security controls provided in their products services meet basic requirements.

Where we want to be

We aspire to create a system for the protection and sharing of data that:

  • Builds trust through participatory engagement, increasing transparency and empowering people;
  • Creates the conditions for a mature approach to ensuring value from information, providing the right tools to staff; and
  • Introduces a more balanced, federated model of decision making, reducing variation across Scotland in terms of what can and cannot be shared.

The vision is to have streamlined governance, assurance, and management of information assets that is more coherent and less fragmented across health and social care, to enable the realisation of benefits from digital and data-driven innovation. This requires a comprehensive approach to enable end-to-end ethical, rich, helpful, secure information across the health and social care sector that provides improvements in key areas, and continues to safeguard data and systems from cyber-attack. The improvements we want to make are:

Streamlining the current IG model to secure the right balance in decision-making processes over health and social care data, and ensuring we create a streamlined IG model that allows the public, data controllers, and health and social care organisations to collaborate.

Bringing greater commonality and clarity in IG across health and social care, aligning IG processes and responsibilities into a more balanced, federated IG model that ensures leadership and national direction, while recognising the necessary and impactful part that local IG processes make.

Developing a Code of Conduct on Privacy by Design for health and social care partner organisations, that would provide the necessary assurance to the public, partner organisations and supervisory authority, as well as enhance trust.

Co-producing solutions to IG challenges with our partners, and with truly transformative participation of citizens in the process. We have been and we will continue to engage with a range of organisations on some of the most challenging IG considerations. We will draw the learning for these complex considerations into our development of wider IG solutions.

Harmonising the understanding of IG and demonstrating IG maturity. This means providing clarity around what Data Protection legislation means to ensure that data is shared as efficiently and safely as possible; and providing the leadership to continuously improve the maturity of how information governance is carried out across health and social care.

Setting out a national model for career pathways and continual development of those who work with the governance of health and social care data.

Investing in the right national tools for the IG tasks and processes and continuing to develop sector-specific national IG-related policy and guidelines to help with compliance and improvement.

Providing added visibility and transparency towards enhanced management of existing valuable information assets across the landscape, starting with national information assets.

Scaling up what works well in IG. Successful models from the COVID-19 pandemic, such as the governance model of the Vaccinations Programme, will be expanded to other areas. Examples of good practice/guidance across the wider ecosystem will be shared.

Continue monitoring and managing the risks that arise in relation to data and new technologies, such as Artificial Intelligence, automated decision-making, and use of data from wearable technologies.

Taking a strategic approach to cyber security. The Cyber Centre of Excellence (CCoE), based in the Abertay University cyberQuarter, is part of our strategic aim for Scotland-wide management of cyber security services, delivered pro-actively, securely, and consistently across all NHS Scotland Health Boards. The Digital Office for Scottish Local Government and Scotland Excel have initiated a procurement process for a shared Security Operations Centre for local government that will provide an equivalent to the NHS CCoE.

Making best use of the NIS audit reports to identify gaps in cyber security maturity and approaches, to ensure those gaps are closed.

Further development of cyber standards as part of the wider IG maturity work outlined above.

Developing further our governance structures and continuing our collaborative engagement practices with the National Cyber Security Centre (NCSC) and across our wider community of public sector organisations including close working with Defence, Security and Cyber Resilience Division in the Scottish Government.

Our Commitments

We will engage effectively with the public, and health and social care delivery partners, to co-produce improvements and bring greater clarity to the current federated IG model.

Who is it for?

Public
Professionals

Our Commitments

The CCoE will lead the continual improvement of the security of NHS systems and grow our specialist workforce by focusing on key enablement pillars including centralised security, 24/7 monitoring, threat hunting, incident response and training and awareness.

Who is it for?

Professionals

Our Commitments

Secure data environments must continually improve cyber security controls to ensure an appropriate level of authorised access to data at all times, as set out in the Cyber Resilience Framework.

Who is it for?

Professionals

Our Commitments

The Scottish Government Health Competent Authority (SHCA) will continue to assess annually the cyber resilience practices of all NHS Scotland Health Boards. We will use the findings from the yearly audits to set strategic direction, with a focus on mitigating practices for the areas of greatest risk.

Who is it for?

Professionals

Our Commitments

We will enhance our cyber security tools and responses and actively promote security controls and regulatory requirements.

Who is it for?

Professionals

Our Commitments

The Scottish Government will continuously review and refresh national guidance and codes of practice for the governance of information and data, in topic areas such as: confidentiality, records management, information sharing, privacy by design, ethics, security, and others including charters for safe havens, and patient rights. For example, Charter for Safe Havens in Scotland: Handling Unconsented Data from National Health Service Patient Records to Support Research and Statistics. - gov.scot (www.gov.scot)

Who is it for?

Professionals
Public
Research & Innovation

Contact

Email: DHCPolicyHub@gov.scot

Back to top