Training staff about their data privacy and security responsibilities

Data custodians provided examples of the approaches taken to ensure that current and new staff members remain aware of their data privacy and security protection responsibilities.

In Iceland, the small Health Ministry staff involved in processing personal health data including dataset linkages is very experienced. There is no formal training process, but in the event of the introduction of a new staff member, experienced staff would train them.

When a new analyst joins the UK SAIL team in Wales, they are coached by a more experienced team member regarding the requirements for data governance and data protection, as well as on the SAIL data system.

In Switzerland, employees of the FSO are trained by their supervisors regarding their responsibilities for data security and privacy protection. There is a project underway, however, to introduce FSO internal training in conjunction with the development of organisation-wide guidelines on privacy and security.

In Finland, data linkage activities in response to external data requests are undertaken within one unit. This unit also fulfils internal data linkage requests, however, some data linkages for THL’s own research activities are undertaken within other units. All employees must pass an online test for basic security knowledge. Each new employee should be brought up to speed about relevant legislation and rules by their head of unit or a mentor and there are organisation-wide events to educate all staff about security concerns few times a year.

Data linkage activities are also not concentrated within SSI in Denmark. At SSI, new employees are given documents to read regarding their responsibilities to protect data privacy and confidentiality and it is mandatory for new employees to sign a paper attesting that they have read and will abide by the rules. A lawyer within SSI offers a course for new employees regarding their responsibilities under the law regarding data privacy protection. Similarly, Statistics Canada requires new employees to read their responsibilities and attest that the responsibilities have been read and understood and that they will comply with them. Statistics Canada also requires new employees to take on-line training on data confidentiality and security and their responsibilities and they must pass the course.

In Canada, CIHI has a training programme for all staff on their requirements to protect data security and the training guidelines are publicly available on the CIHI website. In Spain, the Health Ministry also ensures that staff members are trained on their role in protecting data privacy and confidentiality.

In Korea, HIRA employees are provided online training of privacy protection yearly, online ethics courses biyearly, and information security training biannually.