This webinar explored how adult social care providers can use and manage data safely, securely and confidently, in connection to the Data Security and Protection Toolkit (DSPT). The session focussed on the practical steps providers can take to understand the data they hold, meet legal requirements, reduce risks and build better everyday practice.
The DSPT is a framework that helps care organisations demonstrate that they know what data they hold, why they hold it, how it is protected, and what they would do if something went wrong.
Webinar Summary
The key takeaway of this webinar
The overall message from this webinar was that safe data management is central to good care. By understanding the data you hold, putting strong policies and controls in place, training staff and testing plans, care providers can protect people, meet their responsibilities and build confidence in their digital systems.
Practical takeaways for care providers
- Use the DSPT as a practical framework, not a tick-box exercise.
- Identify what personal data you hold, where it is stored and who can access it.
- Make sure key documents are in place, including an information asset register, record of processing activities and DPIAs.
- Train staff regularly so they understand their responsibilities and know how to report concerns.
- Use strong digital controls such as multi-factor authentication, encryption, antivirus protection and software updates.
- Review record retention and securely destroy data and devices when they are no longer needed.
- Check supplier security and understand risks across your supply chain.
- Test business continuity plans so you know you can recover data and keep services running.
Why data protection matters and understanding what counts as personal data
The webinar explores the legal responsibilities that apply to organisations handling personal data, including the UK GDPR and Data Protection Act 2018 and explains why personal data must be used fairly, lawfully and transparently, for clear purposes. Data must be accurate, kept up to date, retained only for as long as needed, and protected through appropriate security measures.
Poor data protection can have serious consequences and a strong approach to data protection helps build trust and supports safer, more effective care. Additionally, personal data is broader than many people realise, if information can identify a living person, directly or indirectly, it is personal data.
Policies, roles and accountability
Care providers need to identify who is responsible for data protection in their organisation. This person or persons must ensure that policies are in place, staff are trained and data is kept accurate and secure, as well as reporting any incidents or breaches. Alongside this person, everyone in an organisation has a role to play in keeping information safe and reporting concerns quickly.
Key documents providers need:
There are three important documents that help care providers understand and manage their data responsibilities:
- Information Asset Register: a record of all the places where personal data is stored, including digital systems, paper files, devices and physical locations.
- Record of Processing Activities: a record of the confidential information coming into and leaving the organisation, including the lawful basis for processing it.
- Data Protection Impact Assessment: a risk assessment for new projects, systems or processes involving personal data, helping organisations identify and reduce data protection risk.
The DSPT includes templates and guidance to support providers with these documents.
What to do if something goes wrong
Not every incident needs to be reported to the Information Commissioner’s Office (ICO), but some personal data breaches must be reported within 72 hours. In the event of a data concern: avoid panic, act quickly, contain the incident where possible, assess the risk, protect anyone affected and report to the ICO where required. Staff need to feel able to speak up when something has gone wrong, rather than hiding mistakes or trying to deal with them alone.
Controls that reduce risk
Human error remains one of the most common causes of successful cyber and data breaches but there are practical digital controls that can help providers keep data secure. These included:
- strong passwords
- multi-factor authentication
- software updates
- antivirus protection
- trusted Wi-Fi networks
- device encryption and the ability to track, lock or wipe lost or stolen devices
- training staff to recognise phishing attempts
- having a record retention and secure disposal policy
Working with suppliers
Many care providers rely on suppliers who may handle or store data on their behalf and it’s important to know what security measures they have in place, and whether they have appropriate certifications or assurances.
A weak link in the supply chain can create risk for everyone connected to it. Providers should ask questions about security, and make sure supplier arrangements are reflected in their own policies and risk assessments.
Business continuity and testing
Providers need to know how they would continue to access and use essential data if systems went down, devices were lost, records were damaged, or a cyber attack disrupted services.
Plans and continuity arrangements should be tested regularly, including checking that backups can be accessed and restored when needed.
Speakers / Presenters
Thank you to Sam Harper for presenting this webinar.
