One of the most overlooked requirements of the Data Security and Protection Toolkit (DSPT) is staff training. Every organisation that handles NHS data — from large GP Federations to small courier services — must ensure that staff are trained in information governance (IG) annually.
It’s not just a tick-box activity. Staff understanding of confidentiality, data breaches, and secure handling of personal information is critical to service quality and regulatory compliance.
The good news? It doesn’t have to be complicated.
In this blog post, we’ll show:
- What the DSP Toolkit expects in terms of training
- Who needs to be trained (and how often)
- What a good IG training programme looks like
- How to make it easy for your organisation, even with limited resources
Why Training Matters for DSPT (and for CQC)
The DSP Toolkit requires organisations to demonstrate that all staff with access to personal data have received IG training in the last 12 months.
It’s also a Care Quality Commission (CQC) expectation. In inspections, CQC reviewers often ask:
- How do staff learn about confidentiality and data security?
- Can you show records of IG training and completion?
- What happens when new starters join?
This applies to:
- Care staff and support workers
- Volunteers and part-time staff
- Digital platform administrators
- Public health officers and community link workers
- Business intelligence analysts
- Subcontracted delivery staff
Whether you’re a GP Federation, charity, local authority, or NHS supplier — training must be in place and trackable.
Who Needs Training?
Everyone in your organisation who:
- Handles personal or sensitive data (paper or digital)
- Has access to systems that store NHS data
- Sends or receives patient-related emails or referrals
- Works in partnership with NHS organisations
- Supports patients through commissioned services
This includes:
- Clinical and non-clinical staff
- Volunteers and agency staff
- Drivers and logistics personnel
- IT administrators
- Data processors and analysts
- Records scanning or courier teams
It’s not just frontline workers — senior managers and directors also need refresher training.
What Should IG Training Cover?
Training should be relevant to the tasks your team performs. The DSP Toolkit expects coverage of key areas, including:
- What is personal data and sensitive health data?
- What are the rules under UK GDPR and the Data Protection Act 2018?
- What’s the right way to share data securely?
- What are the Caldicott Principles?
- What’s a data breach and how should staff respond?
- Why confidentiality matters in care and service delivery
- How to use email, phones, apps, and records safely
What Makes Good IG Training?
✅ Accessible
The training should be in plain English, easy to follow, and available online or in print.
✅ Practical
Use examples relevant to your setting — such as handling paper files in a care home, or secure referrals from a social prescribing service.
✅ Certificate-based
Completion should generate a record or certificate. This provides your DSP Toolkit evidence and can be requested during CQC inspections.
✅ Refreshable
Staff should repeat training every 12 months. New starters should be trained as part of induction — not after the fact.
Challenges Organisations Often Face
Many non-NHS providers struggle to train staff consistently due to:
- High turnover or part-time staff
- Limited access to digital learning platforms
- Lack of in-house IG expertise
- No tracking system for completions
This is particularly true in:
- Voluntary and third-sector services
- Public health teams with external delivery partners
- Care homes with agency workers
- Subcontractors like couriers or IT vendors
How to Make Training Easy
To meet DSP Toolkit standards without overloading your team, consider these tips:
1. Use a Simple eLearning Platform
There are purpose-built platforms that provide:
- Interactive IG training modules
- Staff login or bulk enrolment
- Certificates and progress tracking
- Automated reminders
Look for solutions specifically aimed at:
- Social care
- Charities and voluntary groups
- NHS contractors and subcontractors
2. Adapt Training to Your Team
One-size-fits-all doesn’t work. Use different formats:
- Short video explainers
- PDF booklets or posters
- Interactive quizzes
- In-person workshops for complex roles
3. Centralise Training Records
Maintain a simple spreadsheet or dashboard showing:
- Who completed training
- When it was done
- What modules were covered
- Who still needs to complete it
This becomes your evidence log for DSPT and inspections.
4. Include in Induction
Every new team member should complete IG training as part of their onboarding. That includes contractors, agency workers, and volunteers.
Example: Primary Care Subcontractor
A business intelligence firm working under a PCN contract was accessing appointment and prescribing data. But:
- Staff had no IG training
- Analysts didn’t know what a data breach was
- There was no training log or tracking
After implementing short-role-specific training with built-in reporting:
- 100% of staff completed IG training in 2 weeks
- A log was submitted with their DSP Toolkit evidence
- The client (a GP Federation) retained the supplier under contract
Don’t Wait Until You’re Asked
If you’re preparing for a DSP Toolkit submission, start by checking:
- When was the last time each team member completed IG training?
- Do you have a certificate or record of completion?
- Is training tailored to your service?
If not, that’s the first action to take.
Make IG Training a Habit, Not a Headache
Training doesn’t have to be overwhelming. With the right tools and planning, even small providers or external contractors can meet DSP Toolkit standards and build confident, capable teams who protect patient data every day.
Call to Action:
🎓 Want to see what simple, effective IG training looks like? Get instant access to a demo module – no login needed.