Data Security Standard 2 - Staff responsibilities

Standard 2, The National Data Guardian (NDG) review

It also explains that:

Data protection and security induction

When staff start with a new organisation, it is during their induction period when they are likely to be at their most vulnerable. They may not understand the organisation’s systems, policies and procedures, its cultures or norms.

Your organisation should have a data security and protection induction in place which helps staff to understand their obligations under the National Data Guardian’s data security standards.

The induction should also contain specific sections on:

• what social engineering is
• safe use of social media and email
• the dangers of malicious software
• how to protect information
• physical security

It is important that the messages are local and specific to your organisation. They should include local procedures and policies, and refer to examples of specific local incidents where possible.

If you would like to see a practical example, the National Cyber Security Centre has produced an e-learning training package which can be integrated into your own organisation’s training platform or learning management system (LMS). The introductory Data Security Level 1 training and the new advanced e-learning on information sharing for frontline and administrative staff can also be accessed on ESR or hosted on your organisation's LMS. Speak to your HR team or LMS administrators if you would like to organise this.

Delivery of the induction

There are no stringent guidelines on how the course should be delivered, however it is important that it is effective and resonates with your audience. Some of the delivery methods you can consider are:

• a separate event
• part of a wider employee induction day or programme
• face to face group sessions
• digital delivery (such as e-learning or webinars)

Staff scope

It is important that your organisation keeps a record of which staff members have received the appropriate training, and when training is due for renewal. This also includes staff who work at, but not directly for, your organisation, such as:

• contracted staff
• volunteers 
• staff seconded into your organisation

The organisation either needs to verify that the training received by contracted staff by their parent organisation, such as an agency, is satisfactory or ensure that those staff attend the organisation’s induction.

Review

It is good practice to encourage your staff to provide feedback on the induction they have received, both on the content and the delivery. This will allow you to refine it and make improvements. 

You should also regularly review the content to ensure it is relevant and up to date.

Your organisation’s staff contracts should have appropriate clauses referencing data security and protection, with an emphasis on their duty to ensure the confidentiality, integrity and availability of health and care data. Most contracts commonly focus on confidentiality clauses, whilst overlooking the other important dimensions. Example clauses are available for organisations to adopt below.

“By signing this contract, you confirm that you have read, understood and will comply with the organisation’s data security and protection policies [or add your organisation’s relevant policy or policies title(s) here], a copy of which is available at [add location] and agree to undertake mandatory information governance training, upon commencement of employment and on an annual basis thereafter.

This clause applies to any information obtained during the course of your employment with the organisation and which is confidential in nature and of value to the organisation including but not limited to patient records and details, confidential information relating to organisation or business contracts, financial affairs, service or commercial contracts and information relating to confidential policies of the organisation.

You may disclose confidential information as necessary for the purposes of carrying out your duties. However, you shall not, during your employment or at any time after its termination for any reason, use or disclose to any person or persons whatsoever (except the proper officers  of the organisation or under the authority of the Board) any trade secrets, secret or confidential information and you shall use your best endeavours to prevent any such use or disclosure.

Disclosure of confidential information, trade secrets or secret information other than in accordance with this clause may be detrimental to the business of this and other relevant organisations and may amount to gross misconduct.

You will not obtain financial advantage, directly or indirectly, from a disclosure of confidential information acquired by you in the course of your employment. Your duty of non-disclosure continues after termination of employment.

Nothing in this clause shall apply to information disclosed pursuant to any order of any court of competent jurisdiction or any information which,  except through any breach of this or any other agreement by you, is in the public domain, is required by an appropriate regulatory authority or information disclosed for the purpose of making a protected disclosure within the meaning of Part IVA of the Employment Rights Act 1996.”

If you are managing third-party personnel, you are likely to be managing them through a contract as discussed in Data Security Standard 10: Accountable suppliers.