Theme 5: Being safe and secure online

1. Understand the importance of data and cyber security and my personal responsibility for handling data safely

Everyone has a responsibility for ensuring their organisation is cyber secure. This means IT systems are protected from digital attacks. Cyber-attacks, if successful, can result in services being disrupted, critical information being lost or financial loss.

It is important that all staff keep up-to-date with their organisation’s data protection and cyber security training.

Better Security, Better Care Learning resource: cyber security (Skills for Care) Keeping safe online: the essentials – National Care Forum

2. Understand the requirements of, and apply the principles of data security and protection legislation

Legal requirements on data security can be found in the Data Protection Act 2018 and General Data Protection Regulation (GDPR). There are a range of resource which summarise how these requirements apply in social care settings.

Guidance on keeping information and devices secure

3. Know that there are different types of data security threats (both physical and digital) and how to avoid them

Data security threats can relate to:

• social engineering – this is when someone tries to trick or manipulate people to gain access to information. A type of social engineering is ‘phishing’. This is where you receive an email, text message or phone call that appears genuine but is actually malicious. It is important you can spot the signs and do not click on suspicious links or open attachments
• password security - using a strong password, not sharing your password with other people, and using a separate password for different accounts are all important for protecting information and data security
• use of devices – keeping your computer, tablet or mobile phone safe will reduce risks if it gets lost or is stolen. It is important to lock devices when not in use and be careful what you download onto devices, to reduce risk of viruses

Top tips for staff – National Cyber Security Centre

4. Know who to speak to in my organisation if I am concerned there may have been a data breach or risk to data security

It is important that data security incidents and near misses are reported to the responsible person in your organisation (the Data Protection and Security Lead or Data Protection Officer) as soon as possible. In some cases, it may be necessary to report an incident to the police. If you are unsure who has this responsibility in your organisation, speak to your manager or review your organisation’s Data Protection Policy.

5. Know how to identify signs of online abuse and safeguard others who may be at risk of cyber crime or other harmful online activity

Online harms can include identify fraud, bullying, grooming, blackmail or scamming. Everyone who works in social care is responsible for protecting people from harm and abuse, and this includes online forms of harm. See your organisation’s safeguarding policy for more information.

For more information on how to reduce potential negative impacts from technology, see theme 6 – Ethical use of technology.

Staying safe online: tips for older people – Age UK

6. Put in place robust arrangements to ensure the security of data and data management systems, in line with legislation and data security standards. 

Care providers are required to ensure they have appropriate data security arrangements in place as set out in the CQC’s ‘Well led’ questions and quality statements. This is also a requirement of completing the Data Security and Protection Toolkit (DSPT) – a self-assessment that all CQC-registered care providers should complete at least once a year.

Better Security, Better Care is a national and local support programme to help adult social care providers to store and share information safely. It focuses on helping care providers to complete the DSPT.

Learning resources for cyber security – Skills for Care

7. Support and develop others to understand their responsibilities towards data security and model good practice

Ensuring that staff and colleagues are competent in data security and protection is essential for running a safe, quality service. It is a requirement of Data Security and Protection Toolkit compliance that at least 95% of staff have completed annual Data Security Awareness Training in the last twelve months.

8. Know how to respond to data and security breaches, including how to report incidents to relevant bodies and ensure lessons are learned.

Cyber-attacks can happen to anyone. If a data security incident occurs, it is important to act quickly to reduce the potential for harm. This should include understanding the nature of the problem, reporting the incident, gathering information about possible impact and seeking support from national organisations.

You can report any incidents through the Data Security and Protection Toolkit. The Toolkit can also help you decide if you need to report the cyber-attack to the Information Commissioner’s Office.

9. Identify data that is critical to the running of my organisation, and work with IT specialists to ensure necessary data back-ups are undertaken and contingency plans are in place.

Keeping data backed-up separately to your computer systems is important for business continuity and will mean you can still access key data, even in the event of a cyber-attack. It is important that contingency plans are in place to ensure your service can continue to operate safely if computer systems are compromised.

10. Understand the importance of regular software updates and anti-virus software, and work with IT specialists to ensure suitable arrangements are in place.

Regular software updates are important for protecting devices, computers and IT systems, while anti-virus products protect against and remove malicious software.

Cyber security learning resources – Skills for Care