Professional Comment

Data Protection: Understanding the Rules

By Tracy Pez, Data Protection Consultant – Data Protection People (

In the realm of health and social care organisations, the implementation of National Data Guardian (NDG) standards and the UK General Data Protection Regulation (UKGDPR) principles is not only paramount but essential. Together the UKGDPR and NDG standards safeguard sensitive information and ensure the resilience of critical services against potential disruptions, like cyber-attacks.

Exploring the interplay between the ten NDG standards and the seven principles of the UKGDPR reveals insightful connections and highlights areas of best practice for health and social care organisations that process personal and sensitive data.

The first NDG standard emphasises secure handling, storage, and transmission of personal and confidential data. This aligns harmoniously with the UKGDPR’s sixth principle which necessitates controllers (i.e. care facilities) ensure data security through appropriate measures. These can be technical, or organisational measures such as policies and procedures.

The second NDG standard focuses on staff responsibilities. Similar conditions in the UKGDPR include Article 24(2) which emphasises the need to implement data protection policies and Article 5(2) which requires demonstratable compliance with data protection principles. The UK’s information commissioner flags that leadership is crucial to compliance and that staff at all levels must have clear responsibilities for data protection-related activities.

The third NDG standard calls for regular data security training and competency assessments for staff. While the UKGDPR lacks specificity, it underscores the importance of training and awareness to translate policies into practice.

The fourth NDG standard advocates data access on a need-to-know basis, echoing the UKGDPR principles of data minimisation and storage limitation. The UKGDPR’s emphasis on privacy by design highlights the importance of access control. The essence here is that access should be based on necessity, and revoked when that necessity ceases.

The fifth NDG standard highlights the importance of investigating data breaches and periodically reviewing and improving processes which could compromise data security. This aligns with the UKGDPR where controllers must investigate all breaches and review the effectiveness of the measures it puts in place. This allows organisations to learn and improve.

The sixth NDG standard focuses on countering cyber-attacks saying that cyber-attacks must be identified, resisted and responded to. The UKGDPR meanwhile casts a wider net regarding security, also including physical security and non-cyber attacks.

The seventh NDG standard requires business continuity plans to be in place regarding threats to data security. The UKGDPR is again not so prescriptive but expects measures to be implemented to restore the availability and access to personal data in the event of a physical or technical incident. A regularly tested business continuity plan is a great first step in addressing this obligation.

The eighth NDG standard requires that no unsupported operating systems, software or internet browsers are used. The UKGDPR does not expressly prohibit old and unsupported systems from being used but does require a risk-based approach to be taken when determining the control measures to implement to protect data.

The ninth NDG standard states that a strategy is required for protecting IT systems from cyber threats. The UKGDPR requires the implementation of data protection policies by the controller where proportionate. In a care setting, given the nature of the health data, implementing IT strategies and policies would be considered proportionate.

The tenth NDG standard again aligns with the UKGDPR and requires suppliers of IT systems and services to understand their obligations as processors under the UKGDPR and the NDG standards. An appropriate data processing or sharing agreement should be in place prior to sharing data with any third parties.

In summary, the NDG standards as a code of conduct, and the UKGDPR as a piece of legislation, are inherently compatible. The NDG Standards can provide a foundation for implementing appropriate measures as required by the UKGDPR.

If in doubt over how best to implement either, reach out to an information governance or privacy practitioner. We don’t bite and are pragmatic in trying to find solutions to data protection challenges.