A just culture guide for information governance and cyber security

17 December 2024

UK GDPR and data protection

Breast Pathway Management solution is in use by teams at North Manchester General Hospital

A just culture considers wider systemic issues where things go wrong, enabling professionals and those operating the system to learn without fear of retribution... in a just culture inadvertent human error, freely admitted, is not normally subject to sanction to encourage reporting of safety issues. In a just culture, investigators principally attempt to understand why failings occurred and how the system led to sub-optimal behaviours. However, a just culture also holds people appropriately to account where there is evidence of gross negligence or deliberate acts.

-Professor Sir Norman Williams Gross negligence manslaughter in healthcare report (June 2018)

Supporting organisations to manage data incident response in a just culture

This guidance supports organisations to understand and embed a just culture in their information governance (IG) and cyber security risk management work, taking a compassionate approach to and learning from any data incidents.

It is for leaders and cyber security and IG professionals in NHS organisations and independent providers, arm’s length bodies and suppliers to the health and adult social care sectors. These include executive board members, data protection officers (DPOs), senior information risk owners (SIROs), Caldicott Guardians and leaders in social care.

Please note this just culture guide:

is intended to be a supporting resource and is one element of a number of processes to be activated in response to a data or cyber incident
can be used at any point, including when drafting and testing incident response plans. During an investigation, the guide may need to be revisited as more information becomes available
should not automatically be used for every incident but can be particularly useful if an investigation begins to suggest a concern about an individual’s actions
does not replace HR or legal advice and should be used in conjunction with organisational policy
does not replace incident reporting requirements under the Network and Information Systems Regulations 2018, the Data Security and Protection Toolkit (DSPT) and UK General Data Protection Regulation

What is a just culture?

We know that data incidents will happen. We also know that they rarely occur because of one staff member’s actions. Incidents will have deeper root causes and require a broader response.

In the context of cyber and IG, a just culture is one that supports fairness, openness and learning when addressing identified cyber vulnerabilities, events, attacks, data breaches or near misses, so that staff feel confident to speak up rather than fearing blame.

A just culture recognises that most professionals do not come to work to make mistakes or to act maliciously.

It allows for learning to take place to help prevent recurrence.

What a just culture might look like in this context routinely, during and following an incident is described in the appendix.

A key outcome of a just culture is continuous improvement, underpinned by timely reporting, protection of those reporting and learning lessons.

NHS England and DHSC’s roles in supporting the achievement of a just culture

To help organisations achieve a just culture, NHS England and the Department of Health and Social Care (DHSC) provide a number of support functions to organisations impacted by a data incident. Reporting an incident in a timely manner means faster access to these functions. The DSPT includes a tool for reporting data incidents to the Information Commissioner's Office, DHSC and NHS England.

The support functions are:

IG policy engagement team

They provide:

advice and guidance for health and care organisations on achieving a just culture. The guidance encourages transparency while giving healthcare and IG professionals the confidence to challenge processes and practices that do not align with data protection laws
support for organisations that have experienced a data security incident or have concerns about associated risks and processes, producing tailored incident response guidance where a large number of organisations have been impacted

Note that the IG policy engagement team’s role is advisory; it has no regulatory function. The organisations remain the data controllers or processors as applicable, and it is up to them to make decisions on any issue or incident.

The IG policy engagement team can be contacted by emailing england.igpolicyteam@nhs.net.

Cyber Security Operations Centre (CSOC) incident response team

They provide:

expert incident response advice and guidance for the NHS and other health and care organisations
subsidised, on-site technical certified incident response support for containment, forensics and elements of eradication on a case-by-case basis for NHS organisations (subject to assessment)

CSOC plays an advisory and technical support role. Organisations remain responsible for leading their own incident response and will be expected to make local decisions regarding recovery and remediation.

The CSOC team can be contacted by emailing cyber.security@nhs.net or, for immediate advice and guidance related to a cyber security incident, by phoning 0300 303 5222.

DHSC Network and Information Systems team

A DHSC-led regulatory function looks at incidents, under the Network and Information Systems (NIS) Regulations, to:

oversee the operation of the NIS Regulations for the health sector in England on behalf of the Secretary of State for Health and Social Care
investigate potential NIS incidents where necessary
ensure the Secretary of State for Health and Social Care meets their reporting duties under the NIS Regulations, which include reporting to the National Cyber Security Centre (NCSC) on NIS incidents

While this is a regulatory function, most incidents (including those that have met NIS thresholds) do not result in enforcement action. DHSC’s focus is driving resolution and continuous improvement, while ensuring a safe environment for those who fall victim to or wish to report incidents. This requires effective reporting mechanisms, incident planning, response and recovery, and learning. In return, the DHSC NIS team looks to:

encourage and recognise voluntary reporting efforts that support containment of incidents and mitigation of further impacts
conduct post-event investigations that focus on resolution and learning, are proportionate to the risks they are addressing, and use outcomes-based principles where appropriate
seek a collaborative approach with the operator of essential service (OES) community, by boosting OESs’ confidence to seek clarifications and support and giving feedback
seek assurance on the steps OESs are taking to manage risk, prevent and minimise the impact of incidents, and/or ensure timely incident reporting
recognise cases where individuals are working within constraints that are outside their control or influence
focus on how the system contributed to cases of human error

DSPT culture assertions

In the National Data Guardian’s (NDG) 10 security standards-aligned DSPT, the relevant assertion to achieving a just culture is 3.2: “your organisation engages proactively and widely to improve information governance and cyber security and has an open and just culture for information incidents”. In the Cyber Assessment Framework (CAF)-aligned DSPT, the relevant outcome is B6.a: “you develop and maintain a positive culture around information assurance”.

Teams must take a considered approach to creating a just culture to ensure cyber and information risk vulnerabilities are not, in the spirit of openness, being unintentionally highlighted to potential aggressors or others who seek to exploit them.

Questions organisations can ask themselves to assess whether they are meeting the requirements of a just culture routinely, during and after an incident are given in the appendix.

Case study

Best outcome from all organisations, at all levels, having responsibility for creating and maintaining a just culture

Dr H started a new placement in a community health trust. Work pressures meant she did not have time to complete the induction processes, and she began seeing patients on her first day.

Months later, she received an email from an IT supplier requesting her username and password to reset her system account. Dr H completed the linked form before starting work for the day. She later saw a message warning staff that the email she had received was a phishing email, but as the systems continued to work, she did not report that she had responded to the email. Later, trust staff found they could not access their user accounts, and their IT supplier discovered that the system had been compromised.

This was the fourth time that year that the trust had issues with staff falling victim to phishing emails. It was concerned that reporting a fourth incident to the national teams could trigger regulatory action, and initially reported the incident to its integrated care board (ICB). The ICB supported the trust in reporting the incident to NHS England and the DHSC via the DSPT. As the trust shares data with its local acute trust and social care organisations, the ICB also ensured these were not impacted.

NHS England’s CSOC deployed its Certified Incident Response team to support the trust in mitigating the incident and identifying which data, if any, had been compromised.

Following successful remediation of the incident, the Joint Cyber Unit (JCU; NHS England and DHSC) worked with the trust and ICB to understand what had happened and the impact on patient care. JCU established that the incident met the Network and Information Systems (NIS) incident threshold and therefore captured it in the annual NIS report. Open and transparent information sharing helped the JCU fulfil its reporting requirements. As clear, resourced remediation plans were shared, no further NIS action was necessary.

The trust investigated the incident along with the previous IT and cyber security issues, and found that, while Dr H should have reported the incident, the trust also had responsibility. It could have done more to support Dr H to report the incident and prevent it from occurring in the first place. In response, the trust updated its policy to ensure staff have enough time to complete the compulsory cyber security training module before starting work. It also updated its cyber incident plan and committed to send more frequent communications about cyber risks, including phishing emails.

The ICB recognised that it could provide organisations with additional support and resource to prioritise cyber security and meet cyber security standards. The ICB invested in leadership training and raising awareness and understanding of cyber security risks across organisations. It also recognised that organisations with historical cyber security issues would need further support to maintain a secure environment.

NHS England commended the trust for its openness and transparency throughout the incident, while national teams reflected on the reasons trusts may be hesitant to report incidents. Informed by feedback from the trust, NHS England conducted incident response sessions with the Cyber Associates Network to ensure organisations understood the support offer from and regulatory functions of national teams. With permission, NHS England shared details of the incident and remediation actions across the system.

See NCSC: Phishing attacks: defending your organisation

Relevant guidance

NHS England’s A just culture guide encourages managers to hold a coherent, constructive and fair evaluation of the actions of staff involved in patient safety incidents and ‘near misses’.
NHS England’s national speak up policy sets the minimum standard for local Freedom to Speak Up policies across the NHS so that staff know how to speak up and what will happen when they do. It is designed to be inclusive and support resolution by managers wherever possible.
The People at the Heart of Care: adult social care reform white paper communicated plans to explore ways in which Freedom to Speak Up guardians can be introduced in the social care sector, providing a route for staff to raise concerns and escalate issues around their wellbeing and quality of care, and supporting providers with their employees’ concerns.
Government guidance on whistleblowing is available, including a list of prescribed people and bodies to whom people can raise concerns.
NHS England’s Patient Safety Incident Response Framework sets out the NHS's approach to developing and maintaining effective systems and processes for responding to patient safety incidents for the purpose of learning and improving patient safety. The patient safety learning response toolkit promotes a range of system-based approaches that could be applied to data security events.
Social care staff may wish to refer to the sector’s digital skills framework, which includes the basics that all care staff should aspire to achieve. Guidance, resources and further support specifically for the sector can be found through Better Security Better Care.
The Health Services Safety Investigations Body (formerly the Health Services Investigation Branch) investigations also focus on systems and processes in healthcare, to identify the factors that could have led, or could potentially lead, to harm for patients. It does this without attributing blame or liability; valuing independence, transparency, objectivity, expertise and learning for improvement in all that we do.
The National Data Guardian’s review of data security, consent and opt-outs stresses the importance of encouraging staff to speak up, so a situation can be understood and the reaction to a potential threat is swift and appropriate. This approach is consistent with the principles of a just culture.

Appendix: Characteristics of a just culture

Routine

What might this look like in a just culture?

Higher numbers of incident reports are perceived as positive.
Staff speak openly about their learning from failures and mistakes.
Staff challenge others whose focus is blame rather than learning.
Proactive communications across the organisation emphasise organisational commitment to reporting and learning.
Staff at all levels feel able to report concerns about organisational practices and are confident that they will be listened to.
All levels of management use a range of channels (such as all staff calls, emails, 1-2-1s) to explain what a just culture means to them and invite staff discussion.
Managers are open with their teams in reporting back discussions they have had around data security and information risk.
IG and cyber feature in managers’ objectives.
Just culture is a discussion topic during incident testing and exercises across the organisation.

What questions can organisations ask themselves to assess if they are meeting the requirements?

Do our staff feel this organisation has a just culture for data incidents?
When did we last discuss IG and cyber in teams and as an organisation? Was this a proactive initiative or a reactive response to an incident or near miss?
When did we last promote our mandatory and voluntary training offer? Have we issued reminders about timely completion?
When did we last update our guidance on data incidents? Does it reflect current ways of working and variations in governance across teams?
When incident planning, do we consider how we might apply a just culture to different roles and levels of responsibility?
Have we shared IG and cyber objectives with the wider organisation?

During an incident

What might this look like in a just culture?

Managers are trained to respond positively to any incident reporting.
Staff of all grades feel confident speaking up and that they are listened to, without fear of reprimand for reporting.
A process is in place for staff who wish to report in a confidential way.
Staff understand the processes to follow and what support they will receive.
Questions and concerns about data security and information risk are given appropriate time and responses.

What questions can organisations ask themselves to assess if they are meeting the requirements?

Do our staff know how to report or raise a concern?
Do junior staff feel safe to report concerns to senior leaders?
Is there a mechanism for confidential reporting of concerns?
Does everyone see it as their role to protect data and systems and speak up about issues?
How would staff report an incident if our intranet or other key communications platforms were not available?

After an incident

What might this look like in a just culture?

Details of incidents and near misses are shared in the team in which they occurred and across the organisation and discussed as improvement opportunities (subject to any security restrictions).
Incident and near miss reports are encouraged and conclusions shared with all staff as learning opportunities rather than as problems.
Learning from incidents is translated into meaningful action, and actions assigned to leads with agreed deadlines. Actions include communicating learning back to staff.
Positive examples are made of individuals who come forward, perhaps sharing ‘case studies’ as appropriate.
Identified lessons should focus on addressing organisational and procedural issues, through organisational improvements and without calling out roles or team members.

What questions can organisations ask themselves to assess if they are meeting the requirements?

Have we considered the incident through a system wide as well as an individual lens?
How do we constructively follow-up on lessons identified by exercises and incidents?
How have we supported and positively fed back to colleagues who have raised incidents and issues?
How do staff feel about the incident response process?
What incident reporting trends have we seen?
How have we presented trends to relevant levels of senior management, boards and auditors?
Do our key performance indicators or incident reporting and response metrics reflect changing trends as staff feel more confident to speak up?
Have we identified where else in the organisation the learning may be relevant?