Culture (3.2.1 - 3.2.3)

Outcome:

The culture of an organisation starts with its most senior leaders. The behaviours that they demonstrate as role models, and support and encourage staff to adopt, can have a huge influence on an organisation’s culture.

If senior leaders regularly talk about information governance (IG) and cyber security, support local campaigns and improvement initiatives, and address incidents and problems openly and consistently, a positive culture will emerge. Staff will feel able to report incidents and speak openly about concerns and will work together across the organisation to improve practices. They will make an extra effort to ‘do the right thing’ and follow organisational policies and procedures, knowing that they will be listened to fairly if they have concerns about what those policies require of them.

If senior leaders treat IG and cyber security as inconveniences, take no interest in improvement work, and assign blame in incidents, a negative culture will emerge. Staff will feel unable to speak openly, and problems are likely to be covered up. They will know that policies and procedures are not taken seriously, so will ignore or work around them.

Culture is harder to change than a policy or procedure but has a greater effect. A negative culture easily undermines good policies, and a robust procedure is irrelevant if nobody follows it. Similarly, the knowledge and skills learned in training will be of no value if your organisational culture does not enable staff to use them in their daily roles.

Prioritisation means that IG and cyber security are given proportionate time and support at board level, not that they are prioritised above everything else.  This is likely to be led by the senior information risk owner (SIRO) or other board member(s) with specific responsibility for cyber and IG but is only effective if it involves the whole board. This could, for example, be with regular discussion of risks, and agreements to provide resources or funding to support improvement and awareness initiatives.

Senior leaders being visibly present across the organisation to discuss IG and cyber matters and promote improvement or awareness campaigns will help to demonstrate to staff that your organisation takes it seriously. Specialist leads such as the SIRO and Caldicott guardian likely already do this because of their roles, but this will be even more effective if staff across the organisation can see their own professions and departments leading by example. Ensuring that other senior leaders such as the medical, nursing and finance directors are actively engaged in leading discussions about cyber and IG, and supporting improvement initiatives, will mean that staff can directly relate it to their own roles.

Incidents are sometimes seen as a ‘bad thing’ – nobody wants things to go wrong, and more incident reports can be perceived to mean that more things have gone wrong. But no organisation is perfect and there is always a risk where data is used; things will go wrong at some point, and what matters then is how you deal with it.

Incident reporting is also a sign that staff understand their responsibilities, and want to report a problem to give the organisation an opportunity to do better in future – to improve practices for staff, and improve outcomes for individuals. You may also have concerns raised directly by patients or members of the public.

If your organisation habitually responds fairly and transparently to incidents and concerns that are raised, people are more likely to continue raising them, and you will have more opportunity to improve.

You can achieve this by adopting a ‘just culture’ – treating staff involved in an incident in a consistent, constructive and fair way. In a just culture, people who have caused incidents deliberately or through negligence or recklessness should be held to account, but honest mistakes are not punished. By looking critically at the processes that led to incidents, you can address underlying issues and make improvements without assigning blame.

Further guidance on just culture in an IG and cyber security context will be published by NHS England.

The programmes managing IG and cyber security, and ongoing work, will already reflect the priorities set by the board – if only at a basic level reflecting the available resources.

The programme should also be informed by engagement with staff in order to meet operational needs. This can be as simple as ensuring that your steering groups have representative membership, so that each department has a voice in the programme – and so that those members will then champion IG and cyber security within their departments.

Other initiatives may involve staff across the organisation more directly, such as reviewing and updating your information assets and flows register.

If your organisation has a positive culture about IG and cyber security, staff will want to be involved, and are more likely to take the initiative and create improvements without being directed. Their experience and expertise in their own areas, and their joint ownership of the activities, will help build a strong and effective programme.