Data and cyber security: guidance for commissioners of adult social care services

A rough guide to supporting adult social care providers to improve data and cyber security measures.

This guidance is based on experiences since the implementation of the Care Act and is not formal guidance and should not be applied as such. It should be used to have conversations about how the issues raised can be dealt with locally. It does not constitute legal advice and should not be relied upon in that capacity. Independent legal advice should always be sought. It is likely to change in the light of further experience and will be reviewed as appropriate.

Who is this guidance for?  And why is it needed?

Technology has changed the way we deliver social care, and the COVID-19 pandemic has expedited this. Whilst advances in technology bring benefits for the sector, and for the people the sector supports, they also present risks in how information is managed and kept secure.

Data and cyber security is a major issue for all organisations. It is about safeguarding confidentiality and privacy of people’s personal data as well as the availability and integrity of that data, all of which are vital to transfer people smoothly between care settings and to ensure the quality of care. This is not just about technology, but also about individuals understanding their responsibilities and organisations having tested policies and plans in place. Cyber attacks are increasing in number and sophistication. However, if staff are well trained, tested procedures are in place and technical defences in use (e.g. a firewall, regular software updates, etc.) then the risk of cyber attack being successful is reduced.

Understanding data and cyber security is essential to prevent disruption to care provider businesses and the services they provide for people. It is also important in avoiding the risk of digital exclusion, so that providers don’t get ‘left behind’. To help ensure a sustainable and diverse adult social care market, and to safely share information between health and care, commissioners should support the social care provider sector to improve data and cyber security measures. This guidance is for commissioners of adult social care services. It makes suggestions as to how you might do this.

How to support providers with data and cyber security

There are a range of ways in which commissioners could support care providers with data and cyber security. However, local authorities and CCGs will have differing amounts of resources available to them. This guidance, therefore, is arranged in order of priority, with highest priority activities for commissioners to consider listed first. Commissioners should consider offering the following support:

Signposting, advice and awareness training

Signposting by commissioners and providing an authoritative source of advice helps to raise awareness of data and cyber security within the sector. The following are recommended:

Signposting to information about data and cyber security

The National Cyber Security Centre (NCSC) is the authority on cyber security and has some useful advice and guidance and resources, including an accessible Cyber Security: Small Business Guide. It now also incorporates Cyber Aware which aims to support simple secure online behaviours to help individuals and families protect themselves from cyber criminals.

Get Safe Online is a UK public private sector partnership supported by the government, which provides a wealth of free expert advice and resources to help people and organisations stay safe online.

Run by social care providers for social care providers, Digital Social Care is a website dedicated to providing advice and support to the sector on technology and data protection. It has a range of resources and accessible information all specifically targeted at social care providers. It is the go-to site for care providers. It is particularly helpful to those who are still getting to grips with data and cyber security, and has guidance on the basics of Cyber Security.

Commissioners should consider giving data and cyber security training and signposting ‘packs’ to small or local services that are entering or new to the market. Other ways to signpost information include through:

  • Your regular provider email and written communications 
  • Provider contract monitoring meetings.
  • Provider forums. Discussion helps to engage providers in the subject matter from a practical perspective and helps ‘bring it to life’.  Providers with greater knowledge and experience than others can be very effective in supporting these conversation.
  • Providing a ‘safe space’ for provider-led exchanges.
  • Local care provider associations and partnerships. Engagement through this type of route can be particularly effective. 

To keep the subject ‘live’, communications should be conducted on a periodic and ongoing basis. Face-to-face including one-to-one support are often the most effective routes, because these facilitate discussion and reflection. During this period of remote working under COVID-19 and for large and rural areas, video conferencing and webinars can be useful alternatives.

Advice on how to manage the most common cyber security risks

As part of the national cyber security programme, the Institute of Public Care at Oxford Brookes University carried out research to identify the common, key risks that social care provider services face. The programme report identified the top three cyber security risks prevalent in the sector as: backups; smartphone security; and passwords. Commissioners should support social care providers to take precautions against these three risks, including signposting them to the guidance below:

1. Backups

It is important to take regular backups of important information and to check that the backups can be restored. The National Cyber Security Centre provides advice on backups and in 2020 published further advice on cloud backup options for mitigating the increased threat of ransomware related to COVID-19 as more people are now working at home.

2. Smartphone security

The use of mobile phones in care settings must be safe and secure, but often the risks from smartphones are not considered as thoroughly as the risks posed by computers or tablet devices. The National Cyber Security Centre provides advice on smartphone security

3. Passwords

Strong passwords can help prevent unauthorised access to systems and devices which store important information.
 Digital Social Care has advice on how to use strong passwords

Information Commissioner’s Office (ICO) registration

Registration with the ICO is a legal requirement for every organisation that processes personal information, unless they are a not for profit organisation that qualifies for an exemption or do not use any computers or electronic systems e.g. emails, fax, text messages etc. Non-registration can result in a significant fine.

If an organisation is not already registered, they should register as a matter of urgency.

All regulated organisations will have an ICO registration number. Commissioners can check whether providers in their area are registered (and alert them if they are not) by searching the ICO register. Note that the not for profit exemption is very limited in scope and it is unlikely that regulated care providers will be exempt. If there is doubt whether an organisation needs to register, and pay a fee to the ICO, the ICO has a registration self-assessment that can be used to check.

Awareness training on data and cyber security

Commissioners should help social care providers to access reliable sources of data and cyber security awareness raising training. This could be by signposting providers to free training from authoritative sources such as:

National Cyber Security Centre Stay Safe Online: top tips for staff: an online course that’s easy-to-use and takes less than 30 minutes to complete. It’s not sector specific, but has good generic advice on how to stay safe and an excellent quiz at the end.

BT Skills for Tomorrow: online courses that have clear structured lessons from how to create strong passwords through to securing employee devices and networks. They are not sector-specific, but technical aspects are presented in accessible language.

In addition, CCGs, health trusts and councils will have training in place for their health and care staff and commissioners could approach them to see if access to these courses by local care providers can be negotiated. Local police may offer cyber security fraud awareness training workshops and/or visits to check an organisation’s arrangements, which commissioners could organise for local care providers.

Commissioners could also consider providing cyber security advice ‘surgeries’, for example with your organisation’s Data Protection Officer or cyber security lead in attendance.

Your use of secure email

Providers need assurance that emails sent by your organisation are secure (by being encrypted) – however this is not always made clear. If you are not using an obviously secure system such as Egress (where a password is needed) ensure that your email footer for example includes a statement about encryption.

Further support to care providers with data and cyber security

Contract and contract monitoring requirements

Data and cyber security good practice should be required through provider contracts which specify evidence for safe and secure handling of information. To reduce duplication and promote standard and consistent evidence of data and cyber security, it is recommended that commissioners build into contracts the requirement to complete the Data Security and Protection Toolkit (DSPT), at the level of Standards Met.

The DSPT is an online self-assessment, provided by NHS Digital, which is tailored for use within social care, is free, and is increasingly being used by providers as evidence for CQC.  Already cited in many NHS contracts, completion of the DSPT as evidence ensures a standard and consistent approach across and for the sector.

The following wording is suggested for use by council commissioners in contracts with care providers:

Data Security and Protection Toolkit (DSPT)

The Provider must give assurance that they are practising adequate data security and that personal information is handled in accordance with appropriate legislation and best practice.

The NHS Digital Data Security and Protection Toolkit (DSPT) is a free online annual self-assessment for this purpose, tailored for use in social care. The Provider must annually complete and publish the DSPT and comply with its mandatory requirements. This should be at the level of Standards Met. Initially, the Provider may complete the DSPT at the level of Approaching Standards but their accompanying action plan must assure that Standards Met will be achieved by the following assessment period.

Better Security, Better Care

To aid DSPT completion, the Provider may access enhanced national and local support available through the Better Security, Better Care programme.

Support to complete the Data Security and Protection Toolkit (DSPT) 

The Data Security and Protection Toolkit (DSPT) is a self-assessment tool on the safe and secure handling of information for health and social care providers. Information about the Toolkit is provided by Digital Social Care.

The DSPT is already mandatory for contracts with the NHS, and prior to COVID-19 had been a precursor for providers to access NHSMail, which is a secure email system. It is also increasingly being used as evidence in CQC inspections. To complement the national Better Security, Better Care programme,  commissioners should support providers to complete the DSPT to Standards Met level.

Support for providers to complete the Toolkit can be achieved through a number of different ways; suggestions for these include:

  • Assign the role of local Toolkit champion. One or more members of commissioning staff are given responsibility for understanding Toolkit requirements and how to use it; the Toolkit champion then raises awareness of the Toolkit and provides training or other support to local providers.
  • Find out what support other local or regional organisations are providing.  For example, NHS England Ageing Well leads are working with care homes to support them with the Toolkit. 
  • Provide training and other support perhaps as part of an existing training offer. There are resources available (see section on Signposting above) to support training offers, including with Toolkit registration.  Training can be delivered in a group environment or as one-to-one support.

Examples of good practice

Nottinghamshire County Council supported care homes, domiciliary care and supported living providers within the county.  Starting with raising awareness of data and cyber security, including business continuity planning, providers were then supported to complete the DSPT to Standards Met level, through a series of calls and on-site visits.

Wiltshire CCG provided one-to-one support for nursing homes across Bath and North East Somerset, Swindon and Wiltshire to complete the DSPT to meet the standards required for NHSMail prior to COVID-19. Support offered included one-to-one consultations, advice and access to resources and guidance.  Following an initial on-site visit, ongoing support via email/phone was provided.

Tips for effective DSPT training and support are included in the Adult Social Care Data and Cyber Security Programme 2019/20 report published by the Institute of Public Care.

Critical friend support

Commissioners could consider offering critical friend support including on-site visits or virtual meetings to chat through individual provider arrangements, in order to raise awareness of any risks and to develop an action plan and provide signposting.  This can be done through:

Conversations with providers should be led by a member of staff who is sufficiently familiar with the subject area and knowledgeable about sources of further help and support, e.g. the ‘Toolkit champion’ mentioned above. 

Crucially, this type of supportive intervention, conducted outside of any contact monitoring arrangements, can help providers to think in depth about their arrangements for data and cyber security with encouragement to make improvements, without the worry of being judged or penalised in some way. 

Business continuity plans and disaster recovery testing

Most providers will have a business continuity plan in place. Traditionally this type of document will cover areas such as fire or bad weather, but it may not cover access to the critical data needed to continue to provide people’s care should the means to access that data be lost (e.g. through power cut, internet failure, or computer breakdown or other IT problems). Without such a plan in place there is the risk of personal data becoming unavailable or lost, which is a potential data breach.

Commissioners can support providers to have effective business continuity plans for data and cyber security through:

  • Raising awareness of the importance of including data access in business continuity plans.
  • Sharing and promoting use of a business continuity plan (data) template.  An example business continuity plan template is available from Digital Social Care

Once plans are in place these need to be tested – otherwise it will not be clear whether the plans would work in practice i.e. when they are really needed.  This could result in data needed for providing care not being available in an emergency.  Commissioners could support providers to test their plans through:

  • Raising awareness about the importance of providers testing their plans.
  • Running simulated ‘tests’ with providers including of:
    • Cyber attacks such as ransomware
    • Internet failure
    • Power failure
  • Signposting providers to the tests included within the template available from Digital Social Care as above.

Results from any tests conducted should be discussed with the provider and any improvements should be included in an action plan drawn up by the provider and followed up by the commissioner.

Support to obtain IT services

In addition to pointing providers to Digital Social Care’s Buyer’s Guide for External IT Support, ways in which commissioners could consider helping providers to find suitable IT services include:

  • providing advice as to what to look for in an IT support company
  • offering a service to evaluate an IT company on behalf of a provider (this could be a charged for service) utilising the above advice
  • facilitating word of mouth recommendations, as part of signposting as above.
Where the LGA does not maintain the links provided, it assumes no responsibility for its contents nor does any link constitute an endorsement of any other site, its sponsor or its contents. The LGA cannot guarantee links will permanently work and has no control over the availability of linked pages.