Nick was made acutely aware of the value of the DSPT for all Bluebird Care franchisees after the company’s data was stolen in a widespread cyber attack that impacted both health and care services last year.
He said: “The DSPT is a sensible and safe guide for us to have in place. In August last year the rostering provider we used – which was also linked to NHS clinical services – was hit by a cyber attack. It took down the data of thousands of employees across the Bluebird Care network. That resulted in mass upheaval for the company for quite some time. And, actually, we are still experiencing challenges from it now, six months down the line. It made us realise we needed additional safeguards in place to prevent something similar happening again.”
Nick became aware of the DSPT when it was first announced that CQC-registered care providers in England should complete the self-assessment annually to demonstrate they have good data and cyber security practices in place. However, since Bluebird Care operates a predominantly private-pay care model, he didn’t think it would apply to the company’s franchisees. Nevertheless, he produced a guide for franchisees but take up of the DSPT by individual franchisees was low.
In December last year, Nick was made aware that a company as large as Bluebird Care, with multiple franchisees, could complete one DSPT centrally from the Franchise Support Centre, so long as franchisees had the same policies and procedures in place. Luckily, Bluebird Care has centralised policies and procedures around information governance, with each individual business obliged to legally record their franchise agreements.
Nick says the company can already see the benefits of completing the DSPT, as he explains: “The DSPT is a tool that demonstrates we’re doing even more to protect both customer and staff data against breaches, upholding our reputation.”
Creating a centralised DSPT allowed Nick to take a helicopter view of all Bluebird Care policies and identify any gaps. It also provided a structure for their data protection policy, including tightening up policies for staff using their own mobile phones.
In addition, being DSPT compliant to Standards Met offers Bluebird Care franchisees opportunities that they might have missed otherwise. For instance, it allows them to access shared systems such as GP Connect and NHSmail.
Nick admits that at first undergoing a DSPT audit can seem overwhelming.
“It looks like a lot. But sitting and looking at it doesn’t get it done. It’s best to break it down into bite-sized pieces. I dedicated half an hour a day over the course of a week. Fill in the mandatory bits first to focus on what’s important. Get help from others, such as your IT supplier, if there’s questions you can’t answer. And your Local Support Organisation offers free professional 1-2-1 support from a friendly face, supporting your journey and identifying risks along the way.
If I’d known I could do the DSPT centrally I would have done it two years ago. Doing this centrally frees up time for our franchisees’ Care Managers to do other things.”
“I urge all Franchise Owners to use the toolkit and view it as the final checklist for ensuring they have all the necessary data protection safeguards in place”, says Nick. “Then you can reassure your customers and your employees that their information is safe.”