Training needs analysis and delivery (3.1.1 to 3.1.3)

Before you deliver any training, you should understand what training and awareness is needed to ensure that your staff have an appropriate level of understanding.

All staff working in a health and care organisation need some understanding of information governance (IG) and cyber security. The level will vary depending on the staff member’s role, for example:

• a staff member with routine access to employee or confidential health and care information needs to understand how to protect and handle it appropriately to ensure it is accurate and available when needed
• researchers and senior health professionals need a more advanced understanding of what they can and cannot lawfully do with confidential health and care information
• a staff member using a digital device such as a PC, tablet or smartphone needs to be aware of their responsibilities to protect information from cyber risks - this includes staff working in areas such as facilities and estates
• a staff member who unintentionally comes across confidential information, for example by overhearing a conversation or seeing sensitive details displayed in a work area, needs to understand how to respond appropriately
• staff members whose roles require additional data security and protection training such as information governance staff or data protection officers

The process of deciding the level of understanding that different staff groups need to have, and the training that is best suited to achieving it, is known as a training needs analysis (TNA). You can use any appropriate method for your analysis and record it in any format you choose.

Conducting a TNA allows your organisation to:

• assess the level of training appropriate for each staff group
• plan resources needed to deliver training
• deliver role-specific training
• identify and address potential gaps in the delivery of training

TNAs are iterative – as your organisation completes one cycle of training, the TNA should be reviewed and updated to reflect new national requirements, refinements in the delivery of training based on staff feedback, or changes within your organisation that impact the TNA.

Once completed and approved, the TNA should be uploaded as part of your response to 3.1.1.

View an example TNA template for a fictional organisation. You can use one of these template TNAs or another template.

Frequency of training

As part of the TNA, you should consider the frequency of training appropriate for each role. For example: 

• on joining your organisation and annually thereafter
• different refresher intervals for different roles

You are free to decide what is appropriate, provided it meets the outcome of staff having and retaining the necessary understanding for their role.

Appropriate resourcing and approval

Your TNA should be formally endorsed by your board or equivalent senior leadership and resourced appropriately, so that it is realistic. You should include evidence of this as part of your response to 3.1.1.

Training and awareness-raising activities can be delivered in a variety of ways, and you are free to decide which methods to use for different staff groups.

It is good practice to use a range of training approaches, and this usually results in better participation and comprehension. Some people respond well to e-learning; others may benefit more from face-to-face training. See for example the good practice guidance on training and awareness published by the Information Commissioner's Office (ICO) and National Cyber Security Centre (NCSC).

Both formal training and informal awareness-raising methods have their place in delivering the different levels of understanding required.

Formal training is more structured and measurable, and can be useful to ensure specific topics are covered across a group, or to deliver more complex or compliance-based content. For example, you might decide to use e-learning to provide basic knowledge to all staff, with additional training in different forms to meet the specific needs of different staff groups.

Informal methods can be very helpful to raise awareness across the organisation or for specific staff groups. Alternatively, you might decide that formal training isn’t appropriate for staff that need a less advanced level of knowledge, and therefore maintain their awareness through less formal methods.

Your programme can take into account previous training that individuals may have received in your organisation or elsewhere, and the current level of awareness in different groups in your organisation.  Interviews with a small representative sample of each staff group can help you gain an understanding of this.

Monitor and record your activities

You will need to monitor and record your training and awareness activities to give assurance to your board and auditors that you are delivering them in accordance with your training needs analysis and reaching all relevant staff.

Formal training approaches

Formal training is delivered in a systematic, intentional way. It can occur in a face-to-face setting or through an online learning platform. This training is structured and more easily measurable, and can be useful for detailed training or to ensure coverage of specific topics.

Examples of formal training approaches that can contribute to the required outcomes include:

• in-house face-to-face training (with national or local training material – such as an induction presentation)
• e-learning modules (such as the national Data Security Awareness module)
• external conferences or courses – attending relevant cyber or IG events with continuing professional development (CPD) points or certificate of attendance
• course syllabus with modules covering data protection and confidentiality which have been completed by newly qualified frontline staff such as a nurse or social worker 
• relevant qualifications obtained by staff in specialist roles 

It is important that your plans account for the specific training required for the following 3 staff groups:

1. Senior leadership roles - this includes:

• senior information risk owners (SIROs)
• Caldicott guardians
• other board members

2. Specialist staff - ‘specialist staff’ in this context refers to those whose roles include particular responsibility for handling or protecting information, and therefore require advanced training in data security and protection, such as:

• information governance staff
• cyber security and IT staff

3. Clinical coding roles

Leaders and board members

Having leaders who are actively engaged in data security and protection brings tremendous benefits to organisations.

SIROs, Caldicott guardians and other members of the board should receive specialist training that is relevant to their role as soon as they are appointed, as well as regular refresher training, in line with your TNA. Your organisation may choose to deliver bespoke training through your own teams or you may use a third-party training provider. It is important that training programmes for SIROs, Caldicott guardians and board members (including both executive and non-executive roles) cover both cyber security and IG.

Learning opportunities for leaders and board members should be appropriate to the seniority of the leaders and the accountability they hold. SIROs in NHS trusts and commissioning support units (CSUs) can access cyber security training free of charge through NHS England. Caldicott Guardians can take various routes towards specialist training: free training is available via e-learning for healthcare and further information is available at the Caldicott Guardian Council website.

Clinical coding staff

Clinical coding has a set standard for the time frames and levels of training required. The training given must use material that conforms to National Clinical Coding Standards and applies to both classroom-based and online delivery formats. 

Further information

See Useful training resources

See Training Annex for clinical coding

Awareness raising activities

These activities will support continued awareness and can be used to deliver highlights and time-limited themes or signpost to more detailed training. They will need to be used in combination with more formal methods to meet all of the required outcomes for your organisation. Useful content and graphics to support these activities are available as part of the Keep I.T. Confidential campaign.

Here are examples of activities you can run to raise awareness in the workplace:

By evaluating your training and awareness activities, you will understand whether the training needs set out in your analysis have been met, and whether you have achieved the outcome of staff having appropriate understanding of IG and cyber security.

There are a variety of ways you could seek to evaluate the effectiveness of the training methods you have implemented in your organisation.

Models of evaluation

The Chartered Institute of Personnel and Development provides more detailed guidance on methods that can be used in evaluation. The Kirkpatrick model is the most prevalent framework for evaluating learning, and consists of four evaluation levels: reaction, learning, behaviour and results.

For example, the ‘reaction’ level can be assessed with questionnaires at the end of a training session. Determining whether staff then retain the knowledge and skills from the training requires more in-depth evaluation.

Your organisation should regularly monitor the effectiveness of your training methods. If your chosen methods are not producing the anticipated results, you will need to review why, and make the necessary changes – either to your training material or methods – to increase compliance. This should also result in an updated TNA to reflect the new approach.

A few examples are provided below:

Audit

The DSPT audit guidance will cover training with a focus on the governance of the TNA approvals; whether the proposed approach is proportionate to the size and type of your organisation; and evidence of implementation.