Changes in the DSPT Assertions / Evidence items for training.

These changes apply to NHS Trusts, ALBs, CSUs, Key IT Suppliers, Independent sector OES organisations and ICBs that are all classed as Category one organisations for the DSP Toolkit. 

3.1 Training and awareness

What’s changed for 2023/24?

Assertion: “Staff have appropriate understanding of information governance and cyber security, with an effective range of approaches taken to training and awareness.”

Until July 2023, the DSPT required that you train at least 95% of your staff using the national Data Security Awareness Level 1 e-learning or a local equivalent.

This has changed for 2023/24. Instead of the 95% training requirement, you now need to ensure that all your staff have an ‘appropriate understanding of information governance and cyber security’. 

This means that you will have more flexibility to set local training requirements that are proportionate to different staff roles, and to adopt a range of different methods to deliver that training.  Your approach will need to be proportionate to the size and type of your organisation.

The new DSPT training requirement consists of three parts, for which guidance follows below:

• Training needs analysis

You will need to analyse staff training needs to decide what ‘appropriate understanding’ means for your staff. This is likely to vary between roles.

• Delivery of training and awareness activities
  You will need to deliver the training and awareness activities that you decide will maintain the appropriate level of understanding across the different staff roles.
• Evaluation
  You will need to evaluate the effectiveness of your approach to ensure that you have met the underlying outcome of appropriate

 

3.1.1 Training needs analysis

Training and awareness activities form part of organisational mandatory training requirements, with a training and awareness needs analysis (covering all staff roles) that is formally endorsed and resourced by senior leadership.

Before you deliver the training, you should understand what training and awareness is needed to ensure that your staff have an appropriate level of understanding.

All staff working in a health and care organisation need some understanding of information governance (IG) and cyber security. The level will vary depending on the staff member’s role, for example:

• A staff member with routine access to employee or confidential health and care information needs to understand how to protect and handle it appropriately to ensure it is accurate and available when needed.
• Researchers and senior health professionals need a more advanced understanding of what they can and cannot lawfully do with confidential health and care information.
• A staff member using a digital device such as a PC, laptop, tablet or smartphone, needs to be aware of cyber risks and how to manage them. This includes staff working in areas such as facilities and estates.
• A staff member who unintentionally comes across confidential information, for example by overhearing a conversation or seeing sensitive details displayed in a work area, needs to understand how to appropriately respond.

The process of deciding the level of understanding different staff groups need to have, and the training that is best suited to achieving it, is known as a training needs analysis (TNA).  You can use any appropriate method for your analysis and record it in any format you choose. There is guidance available on an example TNA methodology option.  

Conducting a TNA allows your organisation to:

• assess the level of training appropriate for each staff group
• plan resources needed to deliver training
• deliver role-specific training
• identify and address potential gaps in the delivery of training

TNAs are iterative – as your organisation completes one cycle of training, the TNA should be reviewed and updated to reflect new national requirements, refinements in the delivery of training based on staff feedback, or changes within your organisation that impact the TNA.

Once completed and approved, the TNA should be uploaded as part of your response to 3.1.1.

You can use one of these template TNAs or another template.

Frequency of training

As part of the TNA, you should consider the frequency of training appropriate for each role, for example:

• on joining your organisation and annually thereafter, or
• different refresher intervals for different roles.

You are free to decide what is appropriate, provided it meets the outcome of staff having and retaining the necessary understanding for their role.

Appropriate resourcing and approval

Your TNA should be formally endorsed by your board or equivalent senior leadership and resourced appropriately, so that it is realistic.  You should include evidence of this as part of your response to 3.1.1, together with your training needs analysis.

 

3.1.2 Delivery of training and awareness activities

Your organisation’s defined training and awareness activities are implemented for all staff.

Training and awareness raising activities can be delivered in a variety of ways, and you are free to decide which methods to use for different staff groups. 

It is good practice to use a range of training approaches, and this usually results in better participation and comprehension. Some people respond well to e-learning; others may benefit more from face-to-face training. See for example the good practice guidance on training and awareness published by the ICO and NCSC.

Both formal training and informal awareness raising methods have their place in delivering the different levels of understanding required.

Formal training is more structured and measurable, and can be useful to ensure specific topics are covered across a group or to deliver more complex or compliance-based content. For example, you might decide to use e-learning to provide basic knowledge to all staff, with additional training in different forms to meet the specific needs of different staff groups.

Informal methods can be very helpful to raise awareness across the organisation or for specific staff groups. Alternatively, you might decide that formal training isn’t appropriate for staff that need a less advanced level of knowledge, and decide to maintain their awareness through less formal methods.

Your programme can take into account previous training that individuals may have received in your organisation or elsewhere, and the current level of awareness in different groups in your organisation.  Interviews with a small representative sample of each staff group can help you gain an understanding of this.

Monitor and record your activities

You will need to monitor and record your training and awareness activities to give assurance to your board and auditors that you are delivering them in accordance with your training needs analysis and reaching all relevant staff.

Formal training approaches

Formal training is delivered in a systematic, intentional way. It can occur in a face-to-face setting or through an online learning platform.  This training is structured and more easily measurable and can be useful for detailed training or to ensure coverage of specific topics. Here are some examples of formal training approaches that can contribute to the required outcomes:

• in-house face-to-face training (with national or local training material – such as an induction presentation)
• e-learning modules (such as the national Data Security Awareness module)
• external conferences or courses – attending relevant cyber or IG events (with Continuous Professional Development (CPD) points or certificate of attendance)
• course syllabus with modules covering data protection and confidentiality which have been completed within the last 12 months for newly qualified frontline staff such as a nurse or social worker
• relevant qualifications obtained by staff in specialist roles (such as the British Computer Society (BCS) Foundation or Practitioner Certificate in Data Protection, or a records management or clinical coding course)

Awareness raising activities

Awareness raising activities will support continued awareness and can be used to deliver highlights and time-limited themes or signpost to more detailed training. They will need to be used in combination with more formal methods to meet all of the required outcomes for your organisation. Useful content and graphics to support these activities are available as part of the Keep I.T. Confidential campaign.

Here are examples of activities you can run to raise awareness in the workplace:

Intranet pages

Available to all staff with access to the staff internet and can be updated regularly. Include dedicated cyber security and IG information pages prominently on your staff intranet.

Staff newsletters

These can be made available to all staff via email and intranet and printed off and put on noticeboards (for staff that do not use IT equipment). They can include regular updates regarding IG and cyber security news, tips and tricks, as well as learning opportunities.

All staff events

Speakers from your IG and cyber security teams can present and answer questions. Presentations can be made at team, department or specialty level, with content tailored to the audience.

Lunch and learn sessions

Run a series of lunch and learn topic-based sessions either face-to-face, remotely, or a combination of the two. The series could cover topics such as password protection; protecting personal and confidential data; sharing information; email phishing; tailgating; physical offline security; social engineering; unlocked screens; and privacy best practice.

Drop-in clinics

Run weekly or fortnightly drop-in clinics for staff to attend with their specific IG and cyber security questions. This method can be useful to pick up potential incidents or risks, develop 1:1 knowledge, and signpost staff to appropriate training.

Shadowing opportunities

Offer shadowing access to more experienced staff to showcase what good cyber and IG practice looks like in everyday work.

Videos

Key IG and cyber staff can record pieces to camera to help inform and educate staff. These short, educational videos can then be posted to your staff intranet.

Staff awards

Share examples of staff and teams who are championing good IG and cyber behaviours. Consider nominating them in your staff awards scheme to provide recognition and positive reinforcement of those behaviours.

Examples of regulatory action

Use examples where regulators such as the Information Commissioner’s Office (ICO) has taken action against staff working in health and care – to highlight that data protection and cyber security is taken seriously.

Case studies

Post to your staff intranet case studies or blog posts of queries reported to IG and IT/cyber teams that prevented an incident occurring.

Keep I.T. confidential campaign

Use the free resources from the Keep I.T. confidential campaign to promote good IG and cyber security around your setting.

• Print and display the posters around your site
• Share material on your social media channels
• Run the digital banners on your intranet site
• Promote training through email signature banners
• Use the pop-up banners for events and physical spaces
• Install screen savers on staff computers

 

3.1.3 Evaluation

Provide details of how you evaluate your training and awareness activities.

By evaluating your training and awareness activities, you will understand whether the training needs set out in your analysis have been met, and whether you have achieved the outcome of staff having appropriate understanding of IG and cyber security.

There are a variety of ways you could seek to evaluate the effectiveness of the training methods you have implemented in your organisation.

Models of evaluation

The Chartered Institute of Personnel and Development provides more detailed guidance on methods that can be used in evaluation. The Kirkpatrick model is the most prevalent framework for evaluating learning, and consists of four evaluation levels: reaction, learning, behaviour and results.

For example, the ‘reaction’ level can be assessed with questionnaires at the end of a training session.  Determining whether staff then retain the knowledge and skills from the training requires more in-depth evaluation.

Your organisation should regularly monitor the effectiveness of your training methods. If your chosen methods are not producing the anticipated results, you will need to review why, and make the necessary changes – either to your training material or methods – to increase compliance. This should also result in an updated TNA to reflect the new approach.

A few examples are provided below:

Evaluation technique	Description	Time needed	Number of respondents
Post training questionnaire	Participants are asked to complete a short survey at the end of the training / intervention to assess their reaction	Low	Medium / high
Survey	Undertaking regular surveys of a random sample of staff both before and after interventions, can demonstrate change over time	Low	High
Focus groups	Running focus groups with a cross section of staff can allow for more detailed feedback on the effectiveness of an intervention	Medium	Medium
Interviews	One to one interviews allow for more in-depth questioning	High	Low
Suspicious emails reported to IT	IT departments may be able to provide data on the number of suspicious emails reported, or other relevant metrics which could demonstrate a shift in cyber awareness	Low	High
Evaluation of IG and cyber queries	Number of queries reported that would or could have led to incidents if no advice had been sought.	Medium	Medium
Evaluation of incidents reported internally	Review of incidents reported by different staff groups that have inadequate staff awareness as a contributing factor	Medium	Medium
Audits	Independent evaluation of the training activities in place and their respective outcomes	High	Medium
Spot checks	Random checks on individual activities linked to training	Medium	Low
Number of incidents reported to the ICO	IG teams should hold a record of any incidents reported to the ICO	Low	Low

 

Audit

The DSPT audit guidance will cover training with a focus on the governance of the TNA approvals; whether the proposed approach is proportionate to the size and type of your organisation; and evidence of implementation.

 

3.2 Culture

Assertion: “Your organisation engages proactively and widely to improve information governance and cyber security, and has an open and just culture for information incidents.”

The culture of an organisation starts with its most senior leaders.  The behaviours that they demonstrate as role models and support and encourage staff to adopt, can have a huge influence on an organisation’s culture.

If senior leaders regularly talk about IG and cyber security, support local campaigns and improvement initiatives, and address incidents and problems openly and consistently, a positive culture will emerge.  Staff will feel able to report incidents and speak openly about concerns and will work together across the organisation to improve practices.  They will make an extra effort to ‘do the right thing’ and follow organisational policies and procedures, knowing that they will be listened to fairly if they have concerns about what those policies require of them.

If senior leaders treat IG and cyber security as inconveniences, take no interest in improvement work, and assign blame in incidents, a negative culture will emerge.  Staff will feel unable to speak openly, and problems are likely to be covered up.  They will know that policies and procedures are not taken seriously, so will ignore or work around them.

Culture is harder to change than a policy or procedure but has a greater effect.  A negative culture easily undermines good policies, and a robust procedure is irrelevant if nobody follows it.  Similarly, the knowledge and skills learned in training will be of no value if your organisational culture does not enable staff to use them in their daily roles.

 

3.2.1 Board prioritisation

Information governance and cyber security matters are prioritised by the board or equivalent senior leaders.

Prioritisation means that IG and cyber security are given proportionate time and support at board level, not that they are prioritised above everything else.  This is likely to be led by the Senior Information Risk Owner (SIRO) or other board member(s) with specific responsibility for cyber and IG but is only effective if it involves the whole board. This could, for example, be with regular discussion of risks, and agreements to provide resources or funding to support improvement and awareness initiatives.

Senior leaders being visibly present across the organisation to discuss IG and cyber matters and promote improvement or awareness campaigns will help to demonstrate to staff that your organisation takes it seriously.  Specialist leads such as the SIRO and Caldicott Guardian likely already do this because of their roles, but this will be even more effective if staff across the organisation can see their own professions and departments leading by example.  Ensuring that other senior leaders such as the medical, nursing and finance directors are actively engaged in leading discussions about cyber and IG, and supporting improvement initiatives, will mean that staff can directly relate it to their own roles.

 

3.2.2 Responding to concerns

Actions are taken openly and consistently in response to concerns.

Incidents are sometimes seen as a ‘bad thing’ – nobody wants things to go wrong, and more incident reports can be perceived to mean that more things have gone wrong.  But no organisation is perfect and there is always a risk where data is used; things will go wrong at some point, and what matters then is how you deal with it.

Incident reporting is also a sign that staff understand their responsibilities, and want to report a problem to give the organisation an opportunity to do better in future – to improve practices for staff, and improve outcomes for individuals.  You may also have concerns raised directly by patients or members of the public.

If your organisation habitually responds fairly and transparently to incidents and concerns that are raised, people are more likely to continue raising them, and you will have more opportunity to improve.

You can achieve this by adopting a ‘just culture’ – treating staff involved in an incident in a consistent, constructive and fair way.  In a just culture, people who have caused incidents deliberately or through negligence or recklessness should be held to account, but honest mistakes are not punished.  By looking critically at the processes that led to incidents, you can address underlying issues and make improvements without assigning blame.

Further guidance on just culture in an IG and cyber security context will be published by NHS England.

 

3.2.3 Staff engagement

Your information governance and cyber security programme is informed by wide and representative engagement with staff.

The programmes managing IG and cyber security, and ongoing work, will already reflect the priorities set by the board – if only at a basic level reflecting the available resources.

The programme should also be informed by engagement with staff in order to meet operational needs.  This can be as simple as ensuring that your steering groups have representative membership, so that each department has a voice in the programme – and so that those members will then champion IG and cyber security within their departments.

Other initiatives may involve staff across the organisation more directly, such as reviewing and updating your information assets and flows register.

If your organisation has a positive culture about IG and cyber security, staff will want to be involved, and are more likely to take the initiative and create improvements without being directed.  Their experience and expertise in their own areas, and their joint ownership of the activities, will help build a strong and effective programme.