Dispelling data protection myths

As part of the Better Security, Better Care programme, I’ve been helping care groups to navigate their data and cyber security journey – and it’s had some interesting detours.

Covid has accelerated the use of digital technology and the recording of medical information so it is more important than ever to ensure you have good data and cyber security arrangements in place. You really don’t want to be distracted by a painful and time-consuming cyber-attack or data breach.

There are, however, some common myths that still prevail about data protection and which may be preventing you from using the free Data Security and Protection Toolkit (DSPT) to check and improve your arrangements. Here’s my reality check on what it’s really about.

Myth: “Completing the DSPT for all our services will take a huge amount of time and need a data specialist.”

Time is more precious than ever for care staff. This is why, if you use the same data protection policies and procedures across all your services, you only need to complete one DSPT for all. If you don’t have a data specialist in-house, you can still work your way through the toolkit. The Better Security, Better Care programme can help you with that.

When you’ve published the DSPT once, it’s much quicker to review and republish it at least once a year because you don’t have to start from scratch.

And remember that managing a data breach can take weeks if, for example, you’ve lost clients’ records, staff rosters or banking details. The DSPT can help you to reduce the risk of a breach and the potential associated fines.

Myth: “We can access NHS patient information systems with NHSmail, so we don’t need the DSPT.”

68 per cent of those who replied to Better Security, Better Care’s recent quiz thought this was true. It’s not.

In order to access digital systems such as proxy GP records, medication management or hospital discharge information, you need to reach Standards Met on the DSPT - NHSX and NHS Digital are very clear about that. NHSmail is a great secure email system – but it’s not sufficient to access patient information systems.

Myth: “Commissioners and regulators don’t really care about our DSPT status, so it's not a priority.”

If you deliver care under an NHS contract, then using the DSPT is already a requirement under the General Conditions of the NHS Standard Contract.

The Local Government Association is strongly encouraging local authorities to add the DSPT to their contracts, and increasing numbers are already doing this.

The use of data and cyber security is included within the CQC’s assessment framework. And inspectors do encourage care providers to use the DSPT.

Get support

Get free, expert support from the Better Security, Better Care programme. Our support includes: support to large care groups and to local services, a free review of your DSPT responses, films, guides and a free helpline.

Visit www.digitalsocialcare.co.uk/bettersecuritybettercare