NHS Data Security and Protection Toolkit (DSP Toolkit) - An Easy Introduction to Help Get You Started
The need for data protection permeates almost every business and organisation.
This is particularly true for those handling NHS patient data, as this data is often particularly sensitive, so it is vitally important it is kept safe and secure and handled in the right way.
To help with this, organisations who have access to medical records must carry out the Data Security and Protection Toolkit annually (at least), and ensure they comply with the 10 data security standards.
But what is this toolkit? What are the data security standards? Who needs to complete the toolkit?
All this and more will be explored in this article.
What Is The Data Security and Protection Toolkit (DSPT)?
The Data Security and Protection Toolkit (also known as the DSP Toolkit or DSPT) is an online tool. It contains a series of questions or assertions that can be used by relevant organisations, such as organisations within or working for the NHS, to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care (DHSC).
In particular, the organisations can see if they are in line with the 10 data security standards set out by the National Data Guardian, standards they are required to be compliant with.
Organisations answer the appropriate questions in this self-assessment and may need to provide evidence in their answers as proof that their organisation is complying with the data security and protection requirements.
These organisations are required to partake in data security and protection self-assessments annually (or twice a year for larger organisations) to provide assurance that they are remaining compliant with the data security standards.
What Is The Purpose of The DSP Toolkit?
Due to the ever-increasing importance and awareness of data security and data privacy, it is vital that people can trust that their sensitive information (such as patient medical records) are handled correctly and are at minimal risk of data breaches.
The purpose of the DSP Toolkit is to ensure that organisations that handle sensitive data can be trusted to handle it correctly and securely. It also helps organisations by outlining what they are required to do to protect patient’s data, providing an extensive list of questions and standards they have to meet.
Essentially, the purpose of the DSPT is to improve trust, increase accountability and ensure compliance with the National Data Guardian’s 10 data security standards.
Which Organisations Need To Complete a DSPT Assessment?
Organisations that need to complete the DSP Toolkit are those that have access to NHS patients and/or their information e.g. patient records.
Example of such organisations include:
- Dentists/dental practices
- General practices (GP)
- Clinical Commissioning Groups
- NHS Trusts
- Biomedical organisations
- Research institutions
- Charities linked with the NHS
- Social care
The DSP Toolkit then classes these organisations into four categories based on the scale of risk linked to the organisation’s function. These categories are:
- Category 1 – NHS trusts (e.g. hospitals)
- Category 2 – Arm’s length bodies, CCGs and CSUs
- Category 3 – All other sectors
- Category 4 – GP practices
Each category has slightly different requirements, with Category 1 facing the largest
number of requirements for evidence, reflecting the typically greater sensitivity level and volume of the data they hold, and therefore the increased damage that could be done if this data was compromised.
Furthermore, Category 1 and 2 organisations are required to complete the DSPT twice a year, while Category 3 and 4 organisations are required to complete it only once per year. The increased scrutiny of Category 1 and 2 organisations doesn’t end there. The Toolkits submitted by Category 1 and 2 organisations are subject to independent annual audits.
What Is The DSP Toolkit Process?
The DSP Toolkit consists of 179 questions, although how many you need to answer depends on what category the organisation falls into. These questions are split into 10 sections - the 10 data security standards. These cover the various areas where data security and protecting needs to be considered. These are:
- Personal confidential data
- Staff responsibility
- Managing data access
- Process review
- Responding to incidents
- Continuity planning
- Unsupported systems
- IT protection
- Accountable suppliers
Under each standard there are 'Assertions' which need to be responded to. To complete each assertion, organisations are required to provide evidence which demonstrates compliance with the assertion. Some examples of the evidence types are:
- Evidence of oversight and accountability within your organisation
- Evidence of training carried out within your organisation
- Evidence of the technical controls in place within your organisation
The organisations go through the toolkit, answering and giving evidence for the assertions that their organisation’s category is required to complete. This is called a ‘Standards Met’ assessment. Once it is completed, they can publish their assessment.
Organisations that deal with social care can complete an ‘Approaching Standards’ assessment. This shows that care providers have proven they are making good progress but are yet to achieve ‘Standards Met’.
Organisations who obtain ‘Standards Met’ who have also obtained a Cyber Essentials PLUS certification will be given the status 'Standards Exceeded’.
What Standards Must Practices Meet for DSP Compliance?
We’ve mentioned the 10 data security standards set out by the National Data Guardian, but let’s explore these in a bit more detail.
The 10 National Data Guardian security standards are split into three ‘leadership obligations’ (topics). NHS Digital defines these standards as:
People - Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
- All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes.
- All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
- All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit
Process - Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
- Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
- Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
- Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
- A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management
Technology - Ensure technology is secure and up-to-date.
- No unsupported operating systems, software or internet browsers are used within the IT estate.
- A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
- IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards
To read more about the National Data Guardian’s 10 data security standards, see this guide from NHS Digital
How & Where Do You Register for the DSP Toolkit?
To register for the DSP toolkit, visit the NHS Digital website here: https://www.dsptoolkit.nhs.uk/Account/Register
To register you will need:
- Your email address
- A valid organisation code (or ODS Code) which can be found via the ODS Portal.
What Is The Deadline For Completing The DSP Toolkit?
There is a deadline every year as the Data Security and Protection Toolkit is an annual self-assessment.
The deadline for the 2021-22 publication is 30 June 2022, although it can be submitted at any point during the year prior to the deadline.
Where Can You Get DSP Toolkit Training or Assistance?