Council Meeting

16 May 2023

Present

Dr Arjun Dhillon (Chair), Dr George Fernie (Vice-chair), Dr Faouzi Alam, Dr Neil Bhatia, Carey Bloomer, Dr Chris Bunch, Prof Martin Crook, Helen Dyer, Christopher Fincken, Mr Adrian Marchbank, Allison Newell, Dr Matt Noble, Dr Erum Nomani, David Riley

Guests

John Hodson (Cyber Security Senior Consultant, Data Security Centre, NHSE)

Observers

Colin Harper, Claire Rafferty, Dr Gabrielle Tamura-Rose, Debbie Topping

Secretariat

Ryan Avison, Dr Helen Bauckham

Apologies

Rhidian Hurle, Darren Lloyd, Captain Pete Selwood, Brig Duncan R Wilson

Declarations of interest

Can be found on register of interests. No other new interests were declared.

Notes of previous meeting and matters arising

Council reviewed the notes of the 30 March 2023 Council meeting and accepted them as an accurate record. There were no matters arising.

Action log

The UKCGC Chair and Council members reviewed the action log. Five actions remain open with an update provided by the Chair on progress for each. All other actions were agreed as having been completed or ongoing prior to this meeting.

Chair and Vice Chair’s report

The Chair and Vice Chair updated Council on recent activities and the key meetings they have attended:

1.  New Council Members: the UKCGC Chair welcomed Dr Erum Nomani and Dr Neil Bhatia as new Council members. Erum and Neil have both been Council observers for a significant period and always bring enthusiasm and insightful contributions. Find out more about all our Council members here.

2. Caldicott Guardian Conference: The Caldicott Guardian conference is taking place on 23 May 2023. The UKCGC Chair thanked all Council members who are speaking at the event.

3. UKCGC Bulletin: the UKCGC bulletin was distributed on 04 May 2023. This bulletin outlined some of the upcoming events taking place with UKCGC. The bulletin is available on the UKCGC website.

4. Breakfast Clubs: the last breakfast club took place on 26 April 2023. The next breakfast club is on 31 May 2023.

5. Evening Classes: Helen Dyer has started a series of evening classes for Caldicott Guardians. The next evening class is taking place 17 May 2023 from 5:30-6:30pm and will be on “Data protection impact assessments for Caldicott Guardians”

6. UKCGC Chair attended NDG Panel: the UKCGC Chair attended the NDG Panel meeting on 09 May 2023. Guests included Genomics England (GEL) and a piece of work being led by the NDG Office on Pre-hospital Emergency Medicine (PHEM) feedback.

General Updates from Council Members

This new agenda item in Council meetings is a dedicated space for Council members to discuss updates on working groups, breakfast clubs, evening classes and UKCGC representation on meetings.

Dr Chris Bunch provided an update on the working group to consider training courses and professional standards for Caldicott Guardians. Helen Dyer provided updates from the breakfast clubs and evening classes for Caldicott Guardians.

Requests for advice to Council

Council discussed recent requests for advice. The Chair noted that requests were mostly routine questions where the secretariat signposted inquirers to the relevant guidance.

DSP Toolkit Update

John Hodson (Cyber Security Senior Consultant, Data Security Centre, NHSE) attended Council to present an update on the Data Security and Protection Toolkit (DSPT). John explained the purpose of the DSPT, outlined plans for the toolkit for the next few years and the importance of getting the toolkit right for different organisations.

John outlined that the most significant challenge with the DSPT is the requirement that “At least 95% of all staff have completed their annual DSPT training.” The main limitation to achieve this are the diverse staff groups tasked with completing standardised training that may not be specifically relevant to their job role. The most significant change to the DSPT in 2023/24 will therefore be to the ‘Data Security Awareness Training’ requirement.

The updates to the DSPT will consider best practice from the ICO’s Accountability Framework, which outlines the importance of considering the training needs of all staff and ensure the training plan is specific to the individual’s responsibilities.

The 2023/24 DPST will also apply the NCSC’s Cyber Assessment Framework (CAF), which provides staff with the “appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to the security of network and information systems supporting the operation of essential functions.” The transfer of cyber elements of the DSPT to CAF provides an outcomes-based framework. This will provide organisations more flexibility to decide how they deliver an outcome, rather than the current, more prescriptive approach of the DSPT.

John acknowledged the risks associated with the proposed approach to DSPT requirements for training, including the variance in organisation’s decisions with tailored training, the requirement for organisations to rely on national e-learning provisions and the perception that this adapted model will weaken the requirements of the DSPT.

Council thanked John for an insightful and engaging presentation and were encouraged by the continued work to improve DSPT compliance. Council supported the adaptive and responsive approach the DSPT team are taking, and recognised the importance of putting emphasis on staff education specific to the individual’s role, rather than standardised training. Council offered to continue supporting the DSPT team and welcome John back to Council to provide further updates.

Topics from Council Members

Council members are invited to submit topics of interest for discussion at Council meetings, in advance of the meeting.

A question that was raised at a recent breakfast club: “Is there a resource that collates case law summaries relating to Caldicott issues? For example, is there a continuously updated summary of Common Law relevant to the Caldicott job?”

Dr Neil Bhatia shared with Council a fact sheet he has developed to cover all relevant case law for breach of confidence and breach of privacy.

Other Business

No other business.

Next meeting

The next meeting will be held virtually on Wednesday 19 July 2023 from 13:00-16:30pm.