Data and cyber security: guidance for commissioners of adult social care services

A rough guide to supporting adult social care providers to improve data and cyber security measures.


This guidance is based on experiences since the implementation of the Care Act and is not formal guidance and should not be applied as such. It should be used to have conversations about how the issues raised can be dealt with locally. It does not constitute legal advice and should not be relied upon in that capacity. Independent legal advice should always be sought. It is likely to change in the light of further experience and will be reviewed as appropriate.

Commissioners will be aware that COVID-19 has profoundly affected the digital landscape with NHS Digital supporting increased adoption of NHSMail and video conferencing solutions such as Microsoft Teams by adult social care providers. Additionally, NHS Digital requirements for completion of the Data Security and Protection Toolkit (DSPT) for NHSMail have been relaxed until the end of September 2020. Nevertheless, the expectation for providers to apply good data and cyber security management remains and the principles in this guide can help support such good practice and the needs of providers as DSPT requirements are reintroduced.

Who is this guidance for? And why is it needed?

This guidance is for commissioners of adult social care services. Technology is increasingly being used in the sector, including by adult social care providers, to support the planning and delivery of adult social care. To help ensure a sustainable and diverse adult social care market, commissioners should support providers to keep systems and information safe and secure. This guidance makes suggestions as to how you might do this.

Why support providers to keep their data and systems secure?

The safe use of technology depends on the safety and protection of data, but also systems. Keeping both safe are important components of cyber security. 

Understanding wider cyber security, alongside data protection, is essential to prevent disruption to businesses and the services they provide for people. This is not just about technology, but also about individuals understanding their responsibilities and organisations having tested policies and plans. Cyber attacks are increasing in number and sophistication. However, if staff are well trained, tested procedures are in place and technical defences in use (e.g. a firewall, regular software updates, etc.) then the risk of cyber attack being successful is reduced. Therefore, the risk of illegitimate access to data and systems used every day to support people is reduced. 

The Data Protection Act (2018) brought in updated protection of personal data and privacy including regulating the processing of that data. However, research (Institute of Public Care [IPC], 2019) has found that many providers may not yet be fully GDPR compliant, and this presents risks to the safety of the data that they hold including client data.least that services become more efficient as a result.

In a wider sense non-compliance means that it could be difficult for some providers to assure key partners (including commissioners) that personal data is being handled safely and securely. This could have further implications where the data has been supplied by the council or CCG and it is important for commissioners to understand their responsibilities here.least that services become more efficient as a result.

Whilst the use of technology is increasing in the sector, awareness of data and cyber security is not yet widespread. Not all providers are aware, for example, that regardless of how much technology they use (even if they don’t use any), they must register with the Information Commissioner’s Office (ICO). Non-registration carries a fine of over £4,000, and this could be critically damaging for small providers, presenting a risk to the market.

There is also a risk of digital exclusion. About one third of providers (IPC, 2019) rely almost exclusively on paper systems, and about 10% of these do not use any IT at all. Without support this group could easily get ‘left behind’ and these types of issues, in time, could impact on the viability of the services they provide to people – a further risk to the market. In addition, availability of good quality broadband can impact on a provider’s ability to maximise use of technology.

Despite the risks, greater use of digital technology has many advantages for providers. Digital innovation provides opportunities to improve quality of care, support individuals to remain independent for longer, and improve the effectiveness of information sharing between health and care (Digital Social Care, undated). In turn, these advantages are of benefit to you as a commissioner, not least that services become more efficient as a result.

Therefore, to support your market shaping responsibilities, there are many reasons why supporting providers to keep their data safe and systems running will be beneficial, both to help achieve efficiencies and to manage risk.