Data Security Standard 3 - Staff training

"Our colleagues are our best defence against patient harm from cyber-attacks. Appropriate training helps in avoiding disruption to patient care and avoiding patient harm. Organisations now have the flexibility to determine how best to interpret their responsibilities to respect people’s confidentiality and manage cyber security risk and ultimately enhance patient safety."

Phil Huggins

National Chief Information Security Officer for Health and Social Care

Until July 2023, the DSPT required that you train at least 95% of your staff using the national Data Security Awareness Level 1 e-learning or a local equivalent.

This has changed for 2023/24. You now need to ensure that all your staff have an ‘appropriate understanding of information governance and cyber security’.

This means that you will have more flexibility to set local training requirements that are appropriate to different staff roles, and to adopt a range of different methods to deliver that training.  Your approach will need to be proportionate to the size and type of your organisation.

The new DSPT training requirement consists of three parts:

Training needs analysis - You will need to analyse staff training needs to decide what ‘appropriate understanding’ means for your staff. This is likely to vary between roles.

Delivery of training and awareness activities - You will need to deliver the training and awareness activities that you decide will maintain the appropriate level of understanding across the different staff roles.

Evaluation - You will need to evaluate the effectiveness of your approach to ensure that you have met the underlying outcome of appropriate understanding.