Organisations have a responsibility to ensure they’re cyber secure. Learn more about cyber security and how to improve it.
Safeguards are needed to avoid or reduce any disruption from an attack on data, computers or mobile devices. Security breaches with digital information can be more severe than with paper records as information can be distributed more easily and to a far wider audience.
Cyber-breaches are costly – in terms of expense, recovery time and through damage to reputation. All staff must be aware of how to implement protective measures.
Download 'An introduction to cyber security' to find out more about cyber security and how to improve it.
Part of being cyber-secure means making sure you’re compliant with legal data requirements, i.e. General Data Protection Regulation (GDPR).
Data Security and Protection lead
The Data Security and Protection lead is a new voluntary role for social care and whilst data security and protection is everybody’s business, someone within your organisation must take overall senior responsibility for it.
There must be at least one named person who leads on data security and protection but when the roles, responsibilities and requirements of the Data Security and Protection Lead is broken down, there may be several people in an organisation already undertaking some of this role.
The Data Security and Protection Lead responsibility is to:
- provide leadership and guidance from a senior level
- provide focus on being a champion
- make sure good data protection practice takes place and is implemented in the organisation
- contribute to the service level processes and procedures for processing data
- make observations and contribution to senior managers within the service.
There are increasingly high levels of data and cyber breaches in social care and health, and as we continue to develop and implement new technology and digital working this risk increases. This role will help mitigate risks by ensuring enhanced knowledge and awareness of Data Protection regulations and processes, allowing you to be able to implement newer systems and processes to reduce the threats.
While the practical tasks can be delegated to other staff, having the Data Security Protection Lead at a senior level will set the standard for the entire organisation. It supports a positive culture where staff are confident and have the right knowledge to be able to flag any potential risks before they happen or be able to act appropriately if a breach does occur.
Download ‘The role of the Data Security and Protection Lead’ guide
Data Protection Officer
Under the General Data Protection Regulation (GDPR), you must appoint a Data Protection Officer (DPO) if you:
- are a public authority
- your core activities include large scale regular and systematic monitoring of individuals and special categories of data (which includes information relating to an individual’s health).
Digital Social Care advise that large social care providers are likely to need to appoint a DPO as part of their journey towards compliance. A large care organisation could be characterised as multisite (perhaps on a regional or national level) with dedicated staff in roles such as IT, HR and estates that they have large volumes of care records.
The DPOs responsibilities include audits and notifying the supervisory authorities if there is a breach and for advising the organisation about data protection laws and monitoring compliance.
The DPO should have expert knowledge of data protection law and practices, and understand the organisation’s business, and be independent, i.e. they can’t receive instructions on how to carry out their tasks relating to data processing.
Additionally, the DPO cannot be the individual who decides the means and purposes of processing data in your organisation. For example, a registered manager plans to bring in a new rota system which would include staff personal details; they couldn’t also be the DPO because the decision-making process might conflict with data protection obligations.
To clarify having a Data Security and Protection Lead is not the same as a having a DPO, there are specific requirements for the DPO which are set out in law.
Download ‘The role of the data protection officer’ guide
Data Security and Protection Toolkit (DSPT)
This has been developed by NHS and updated in consultation with care providers to support social care providers evaluate their compliance with legal requirements, Data Security Standards and good practice.
By reaching the ‘standards met’ through annual use of the toolkit, providers will be able to:
- reassure people they’re supporting, their families and staff that information is being managed safely and securely
- meet CQC requirements in managing data securely
- demonstrate you meet GDPR legal requirements
- access key services such as NHSmail and shared care records.
Better Security, Better Care programme– supporting care providers to complete the DSPT
- understand the importance of data and cyber security
- complete the DSPT.
Support is available at national or local level and is accessed via the Digital Social Care website.
Further information
The Information Commissioner has written a about GDPR compliance being an ongoing journey, and one where the Information Commissioners Office (ICO) will be a ‘fair and proportionate’ regulator.
If you need any help, the Information Commissioners Office (ICO) has a helpline aimed at small and medium-sized enterprises and charities. Call 0303 123 1113 and select option 4.