Staffing and Roles

Videos, tips, templates and useful information to help you complete the Data Security and Protection Toolkit questions on ‘Staffing and Roles’ for adult social care providers.

There are two groups of questions to answer. Click on these links to go directly to those groups.

Staff responsibilities

Staff training

You can also print or save this page as a PDF using the button at the end of the page.

 


Staff responsibilities

These DSPT questions will help you to consider staff members’ responsibilities for keeping data safe. You need to answer these three questions in order to reach Standards Met.

1.1.5    Who has responsibility for data security and protection and how has this responsibility been formally assigned?

You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded

Tool tip

Whilst data security and data protection is everybody’s business, there must be a named person within your organisation who takes overall senior responsibility for data security and protection issues. Their responsibility is to provide senior level leadership and guidance.

In the text box, name the person or people within your organisation with overall responsibility for data security and protection, along with their roles. Then, for each person, describe how this responsibility has been formally assigned to them. For instance, this responsibility could form part of their job description, or be noted in the minutes of a management meeting, or be in an email from the appropriate director in your organisation. Your organisation may also have additional specialised roles, for example a Data Protection Officer or a Caldicott Guardian.

If you have a high turnover of staff in your organisation, you might wish to record the job title of the person who will take this responsibility – not just the name of the individual.  If that person leaves the organisation, you still know who would be responsible for this area. You could add the details of the person who currently carries out this responsibility in the ‘comments (optional)’ box.

Additional information

Read our guide on data security and protection responsibilities and specialised roles.

 

2.2.1    Do all employment contracts, and volunteer agreements, contain data security requirements?

You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded

 Tool Tip

Clauses in contracts or agreements should reference data security (confidentiality, integrity and availability). Many contracts commonly focus on just confidentiality.

Your organisation’s staff employment contracts, and volunteer and trustee agreements if you have them, should be reviewed to see if they need to be updated to include a clause on data security.

Additional information

There is an example staff contract clause available.

 

4.1.1    Does your organisation have an up to date record of staff, and volunteers if you have them, and their roles?

You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded

 Tool Tip

Your organisation must have a list of all staff, and volunteers if you have them, and their current role. This list should be kept up to date, including any change of role, new starters and removal of leavers.

This might be linked to your existing payroll or rostering system.

 


Staff training

These questions are about how you train your staff and keep their knowledge up to date. You need to answer four questions in order to reach Standards Met.

2.1.1    Does your organisation have an induction process that covers data security and protection, and cyber security?

You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded

Tool Tip

All new staff, directors, trustees and volunteers who have access to personal data, should have an induction that covers data security and protection as well as cyber security. It is good practice to keep records of who has been inducted and to review the induction process on a regular basis to ensure it is effective and up to date.

Additional information

Access further guidance for staff on data sharing and cyber security.

 

3.1.1    Has a training needs analysis covering data security and protection, and cyber security, been completed in the last twelve months? 

You must answer this question to reach: Standards Met or Standards Exceeded

Tool Tip

A training needs analysis is a process which helps identify the data security and protection, and cyber security, training and development needs across your organisation. Your organisation’s training needs analysis should identify the level of training or awareness raising required by your staff, directors, trustees and volunteers if you have them. It should be reviewed and/or approved annually by the person(s) with overall responsibility for data security and protection within your organisation. 

Additional information

An example training needs analysis is available to download.

 

3.2.1    Have at least 95% of staff, directors, trustees and volunteers in your organisation completed training on data security and protection, and cyber security, in the last twelve months?

You must answer this question to reach: Standards Met or Standards Exceeded

Tool Tip

All people in your organisation with access to personal data must complete appropriate data security and protection, and cyber security, training every year. Your organisation’s training needs analysis should identify the level of training or awareness raising that people need.There is an understanding that due to illness, maternity/paternity leave, attrition or other reasons it might not be possible for 100% of people to receive training every year. Therefore, the target is 95% of people with access to personal data. For clarity, it is the last twelve months prior to the date of publication.

Additional information

Better Security, Better Care’s Data Security and Protection elearning course has been specifically designed to comply the DSPT. Staff can complete the free course and an assessment. If they reach 80% on the assessment, they will receive a dated certificate which they can send to their employer. You can keep a record of who has completed the course and when – this will provide the evidence you need for your DSPT.

Access the elearning course

We also have other resources and discussion guides for managers to help improve staff’s knowledge and skills. See other data and cyber security training.

 

3.4.1    Have the people with responsibility for data security and protection received training suitable for their role?

You must answer this question to reach: Standards Met or Standards Exceeded

Tool Tip

It is likely that the person or people within your organisation who are responsible for data security and protection will need additional and more in depth training than the majority of your staff. Your organisation’s training needs analysis should identify any additional training required by people with increased data security and protection responsibilities or specialist roles, for example a Data Protection Officer (DPO).