Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what steps he is taking to ensure that NHS Data Security and Protection Toolkit (a) guidance and (b) training is adequate to ensure that NHS staff are compliant with the UK General Data Protection Regulation when working (i) at their place of work and (ii) remotely.

The main source of the UK General Data Protection Regulation (UK GDPR) and information governance (IG) guidance and advice for health and care is the NHS England IG portal, which is available at the following link:

https://transform.england.nhs.uk/information-governance/

The Data Security and Protection Toolkit (DSPT) includes IG elements to ensure that organisations meet UK GDPR standards. Accompanying DSPT guidance created for small and large health and social care organisations signposts to the IG portal, with further information for both small and large health and social care organisations available, respectively, at the following two links:

https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/data-security-and-protection-toolkit-assessment-guides

https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/2024-25-caf-aligned-dspt-guidance

The IG portal guidance is produced on behalf of NHS England, the Department, and key national stakeholders. It is approved by the Information Commissioner’s Office, the United Kingdom’s regulatory authority for data protection, and the National Data Guardian, the independent advisory body for ensuring people’s confidential data is safe.

The IG portal provides guidance on a range of topics, including when working remotely, as, for example, it includes guidance on video conferencing and frequently asked questions on accessing information when working from home, with further information on both video conferencing and the frequently asked questions available, respectively, at the following two links:

https://transform.england.nhs.uk/information-governance/guidance/using-video-conferencing-and-consultation-tools/

https://transform.england.nhs.uk/information-governance/frequently-asked-questions/#covid-19-questions-for-health-and-care-organisations

To comply with the DSPT training requirements, the vast majority of health organisations use the centrally provided NHS England Data Security Awareness (DSA) course. NHS England reviews the DSA training on an annual basis to ensure that it reflects current best practice for using, sharing, and protecting information.

In addition, the Joint Cyber Unit of NHS England and the Department provides online IG training modules, including simple and engaging training for front line staff on information sharing, with further information available at the following link:

https://portal.e-lfh.org.uk/Component/Details/750310