Videos, tips, templates and useful information to help you complete the Data Security and Protection Toolkit questions on ‘Staffing and Roles’ for adult social care providers.
There are two groups of questions to answer. Click on these links to go directly to those groups.
You can also print or save this page as a PDF using the button at the end of the page.
These DSPT questions will help you to consider staff members’ responsibilities for keeping data safe. You need to answer these three questions in order to reach Standards Met.
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
Whilst data security and data protection is everybody’s business, there must be a named person within your organisation who takes overall senior responsibility for data security and protection issues. Their responsibility is to provide senior level leadership and guidance.
In the text box, name the person or people within your organisation with overall responsibility for data security and protection, along with their roles. Then, for each person, describe how this responsibility has been formally assigned to them. For instance, this responsibility could form part of their job description, or be noted in the minutes of a management meeting, or be in an email from the appropriate director in your organisation. Your organisation may also have additional specialised roles, for example a Data Protection Officer or a Caldicott Guardian.
If you have a high turnover of staff in your organisation, you might wish to record the job title of the person who will take this responsibility – not just the name of the individual. If that person leaves the organisation, you still know who would be responsible for this area. You could add the details of the person who currently carries out this responsibility in the ‘comments (optional)’ box.
Read our guide on data security and protection responsibilities and specialised roles.
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
Clauses in contracts or agreements should reference data security (confidentiality, integrity and availability). Many contracts commonly focus on just confidentiality.
Your organisation’s staff employment contracts, and volunteer and trustee agreements if you have them, should be reviewed to see if they need to be updated to include a clause on data security.
There is an example staff contract clause available.
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
Your organisation must have a list of all staff, and volunteers if you have them, and their current role. This list should be kept up to date, including any change of role, new starters and removal of leavers.
This might be linked to your existing payroll or rostering system.
These questions are about how you train your staff and keep their knowledge up to date. You need to answer four questions in order to reach Standards Met.
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
All new staff, directors, trustees and volunteers who have access to personal data, should have an induction that covers data security and protection as well as cyber security. It is good practice to keep records of who has been inducted and to review the induction process on a regular basis to ensure it is effective and up to date.
Access further guidance for staff on data sharing and cyber security.
You must answer this question to reach: Standards Met or Standards Exceeded
A training needs analysis is a process which helps identify the data security and protection, and cyber security, training and development needs across your organisation. Your organisation’s training needs analysis should identify the level of training or awareness raising required by your staff, directors, trustees and volunteers if you have them. It should be reviewed and/or approved annually by the person(s) with overall responsibility for data security and protection within your organisation.
An example training needs analysis is available to download.
You must answer this question to reach: Standards Met or Standards Exceeded
All people in your organisation with access to personal data must complete appropriate data security and protection, and cyber security, training every year. Your organisation’s training needs analysis should identify the level of training or awareness raising that people need.There is an understanding that due to illness, maternity/paternity leave, attrition or other reasons it might not be possible for 100% of people to receive training every year. Therefore, the target is 95% of people with access to personal data. For clarity, it is the last twelve months prior to the date of publication.
Better Security, Better Care’s Data Security and Protection elearning course has been specifically designed to comply the DSPT. Staff can complete the free course and an assessment. If they reach 80% on the assessment, they will receive a dated certificate which they can send to their employer. You can keep a record of who has completed the course and when – this will provide the evidence you need for your DSPT.
We also have other resources and discussion guides for managers to help improve staff’s knowledge and skills. See other data and cyber security training.
You must answer this question to reach: Standards Met or Standards Exceeded
It is likely that the person or people within your organisation who are responsible for data security and protection will need additional and more in depth training than the majority of your staff. Your organisation’s training needs analysis should identify any additional training required by people with increased data security and protection responsibilities or specialist roles, for example a Data Protection Officer (DPO).