Appendix: Characteristics of a just culture

What might this look like in a just culture?

• higher numbers of incident reports are perceived as positive
• staff speak openly about their learning from failures and mistakes
• staff challenge others whose focus is blame rather than learning
• proactive communications across the organisation emphasise organisational commitment to reporting and learning
• staff at all levels feel able to report concerns about organisational practices and are confident that they will be listened to
• all levels of management use a range of channels (such as all staff calls, emails, 1-2-1s) to explain what a just culture means to them and invite staff discussion
• managers are open with their teams in reporting back discussions they have had around data security and information risk
• information governance (IG) and cyber feature in managers’ objectives
• just culture is a discussion topic during incident testing and exercises across the organisation

What questions can organisations ask themselves to assess if they are meeting the requirements?

• do our staff feel this organisation has a just culture for data incidents
• when did we last discuss IG and cyber in teams and as an organisation
• Was this a proactive initiative or a reactive response to an incident or near miss
• when did we last promote our mandatory and voluntary training offer
• have we issued reminders about timely completion
• when did we last update our guidance on data incidents
• does it reflect current ways of working and variations in governance across teams
• when incident planning, do we consider how we might apply a just culture to different roles and levels of responsibility
• have we shared IG and cyber objectives with the wider organisation

What might this look like in a just culture?

• managers are trained to respond positively to any incident reportin
• staff of all grades feel confident speaking up and that they are listened to, without fear of reprimand for reporting
• a process is in place for staff who wish to report in a confidential way
• staff understand the processes to follow and what support they will receive
• questions and concerns about data security and information risk are given appropriate time and responses

What questions can organisations ask themselves to assess if they are meeting the requirements?

• do our staff know how to report or raise a concern
• do junior staff feel safe to report concerns to senior leaders
• is there a mechanism for confidential reporting of concerns
• does everyone see it as their role to protect data and systems and speak up about issues
• how would staff report an incident if our intranet or other key communications platforms were not available

What might this look like in a just culture?

• details of incidents and near misses are shared in the team in which they occurred and across the organisation and discussed as improvement opportunities (subject to any security restrictions)
• incident and near miss reports are encouraged and conclusions shared with all staff as learning opportunities rather than as problems
• learning from incidents is translated into meaningful action, and actions assigned to leads with agreed deadlines actions include communicating learning back to staff
• positive examples are made of individuals who come forward, perhaps sharing ‘case studies’ as appropriate
• identified lessons should focus on addressing organisational and procedural issues, through organisational improvements and without calling out roles or team members

What questions can organisations ask themselves to assess if they are meeting the requirements?

• have we considered the incident through a system wide as well as an individual lens
• how do we constructively follow-up on lessons identified by exercises and incidents
• how have we supported and positively fed back to colleagues who have raised incidents and issues
• how do staff feel about the incident response process
• what incident reporting trends have we seen
• how have we presented trends to relevant levels of senior management, boards and auditors
• do our key performance indicators or incident reporting and response metrics reflect changing trends as staff feel more confident to speak up
• have we identified where else in the organisation the learning may be relevant