Data protection and cyber security: myths and facts

Data protection and cyber security: myths and facts

Some care providers think data protection and cyber security isn’t an issue for them, and that they don’t need the Data Security and Protection Toolkit. Michelle Corrigan, Programme Director of Better Security, Better Care dispels some of the myths that are doing the rounds.

“We really get that care providers are under astonishing levels of pressure – and with yet another covid winter upon us, that’s not changing any time soon,” says Michelle. “But it isn’t just the stresses and strains of the job that mean some care providers are not coming forward for support with the Data Security and Protection Toolkit. It’s simply the belief – or perhaps the hope – that it isn’t really for them.”

Every care provider – regardless of service or size, regulated or unregulated – stores and shares information about the people they support, their staff, and their professional partners. That’s often personal, sensitive data, but it may also be business information like bank account details of commissioners and funders. So every organisation has data protection responsibilities.  And in this day and age, that information is almost always stored or shared in some digital format.

The Data Security and Protection Toolkit (DSPT) is the sector-led, freely-available, national toolkit to guide care providers through their data and cyber security arrangements. Usage has increased, but why are some care providers hesitant?

Here are our responses to some of the common myths identified by a recent review of issues raised with the Programme, and through an online quiz earlier this month.

Myth: “We use paper records, not digital systems – so the DSPT isn’t for us.”

Fact: That’s not true – on a couple of levels. Paper records are subject to data protection legislation and are included within the DSPT. And also, how many organisations genuinely do not store or share any information digitally? Think about the information that you share on emails or by text – including to colleagues own private mobile phones. Even if it’s not in a formal digital record, it’s still being shared through a digital channel so it is at risk of a cyber attack or data breach.  The DSPT helps you reduce risk – and prove to others that you are taking it seriously.

Myth: “We completed the DSPT a year or more ago. So we’re covered.”

Fact: It is great that more providers are completing the Toolkit, but it’s not a one-off activity. Things change rapidly so you need to complete the DSPT and publish the standard that you reach, at least once every year. In fact, we strongly advise you to keep your DSPT live and up to date.  Changes to services, systems and staff can all impact on your data and cyber security policies, procedures and practices. If you have already completed your DSPT, and you’ve introduced significant changes, you can quickly update the relevant sections of the Toolkit and republish. You don’t have to start from scratch.

Myth: “The DSPT is complex and time consuming – you need to be a data geek to complete it.”

Fact: OK, so you do need to involve people who understand what your organisation is doing with information to complete the DSPT – but you definitely don’t need to be a data or cyber expert. The Better Security, Better Care programme offers free support on the DSPT to all care providers. And we have recently expanded that support to include a free review of your DSPT responses, including tailored advice on how to improve. We have also updated our series of films that guide you through each set of questions on the DSPT.

We know time is scarce, but the last thing you want is to have to worry about the risk of data breach and possible fines. The DSPT can help you to reduce those risks, comply with contracts – as well as legislation, and help with your CQC inspection.

Once you’ve published the DSPT once, it’s much quicker to review and republish it. And if you have multiple services, but the same data protection and cyber security policies, procedures and practices, you just need to complete one DSPT.

Myth: “We can access NHS patient information systems with NHSmail, so we don’t need the DSPT.”

Fact: We’re hearing this a lot – in fact 68 per cent of respondents to our recent online quiz thought this was the case. And it’s really not. NHSmail is a great secure email system for communicating directly with NHS colleagues. But it does not give you access to shared systems such as proxy access to GP or medication ordering systems. NHSX and NHS Digital are very clear that you must have reached at least Standards Met on the DSPT. The reason is care providers need to give assurance that they are practising good data security and that personal information is handled correctly.

Myth: “Commissioners and regulators don’t really care about our DSPT status, so it’s not a priority.”

Fact: If you deliver care under an NHS contract, then it’s already part of your contractual responsibilities. It’s one of the General Conditions of the NHS Standard Contract.

The Local Government Association is strongly encouraging local authorities to add the DSPT to their contracts. Several authorities are already doing this, and it’s clearly the direction of travel.

The use of data and cyber security is included within the CQC’s assessment framework. And inspectors do encourage care providers to use the DSPT as they recognise it as an “effective and efficient way of demonstrating compliance”.

Myth: “The DSPT doesn’t help me to manage COVID within our service – so it’s really not important.”

Fact: We fully appreciate that COVID is a major priority and we won’t pretend that the DSPT is going to resolve your key concerns. The pandemic has, however, increased the use of digital technology and recording of medical information – such as covid infection, vaccination or exemption status.  The DSPT can help you to check that your data and cyber security policies, procedures and practices are helping you to keep that data safe.

Further information

Get free, expert support on completing your Data Security and Protection Toolkit from the Better Security, Better Care programme.

Press enquiries

Contact [email protected] 


Photo by Vlad Zaytsev on Unsplash

Back to News