Professional Comment

Data Security In Care Homes – Practical Advice For Front Line Staff

Steve Turner is a nurse prescriber, Managing Director of Care Right Now CIC (

All nursing and residential homes in England are now recommended to complete the annual NHS Data Security and Protection Toolkit [DSPT], which is a legal requirement for NHS funded services. The DSPT is an online self-assessment tool that measures performance against the National Data Guardian’s 10 data security standards. It links to General Data Protection Regulation [GDPR] and the Data Protection Act 2018.

Whilst larger organisations will be able to pool their resources and share policies, training, operating procedures & related monitoring across their homes, for smaller organisations complying with the DSPT may seem a daunting task. There is help available although some of this, in my opinion, makes the changes needed sound more complicated and onerous than they are.

Here are some tips based on my experience in supporting Community Pharmacies with the DSPT to help you make sense of some of the most important areas of data security, that will help keep your residents safe.

There are two aspects to the DSPT. Firstly, the rights of residents as summarised in this chart:

Secondly, keeping the residents’ information safe & secure. Based on our experience with Community Pharmacies here are four areas of specific advice for front line staff:

1. Be alert for suspicious emails. It is possible for emails to display a fake name of someone you work with. Check the name against their full email address. Scammers can seem very credible, sending a message that gives the impression they are a professional, even someone you know. Often these messages are flagged as ‘urgent’. Do not let some- one else’s claim of urgency affect the speed of your response. Also, never open attachments or click on links in emails unless you are sure they are safe.

As part of the DSPT all homes must have up to date anti-virus protection in place on all computers and IT systems.

2.There have been a number of telephone scams recently where callers ask you to put the ‘phone down and call them back to verify they are genuine. Again, be careful. It is possible for scammers to stay on the line and give the impression you have called them back.

3.If you receive a request for patient information from the Police (or other official body) , you must verify this. They must be able to tell you why they are asking for information, specifically what information is required and under what law they are requesting this. This should be in writing.

4.When your record information about residents on any system, your system supplier must be DSPT complaint. This compliance includes sharing a ‘privacy statement’ which meets UK requirements, being registered with the Information Commissioner, having successfully completed their DSPT and (in my opinion) having a named individual as their Data Protection contact.

It is important to note that this applies to the use of Apps as well. So, for example, sending sensitive personal information via an App (even one that claims to be ‘GDPR compliant’) to a colleague may pose a risk and be out- side your local policy.

Complying with the NHS Data Security and Protection Toolkit is not about box ticking it is for the benefit of our residents’ safety, part of what we already do.

Reference: NHS Data Security & Protection Toolkit