Data Security Protection Toolkit

Written by Joe Kirk - Business Development Consultant - Education & Healthcare

Data Security and Protection Toolkit Blog

Data Protection People are the market leaders in providing Data Protection compliance services to the Social Housing sector, however as we have grown, we have diversified and expanded into various other sectors including charity, financial and organisations offering software solutions as a service. Data Protection People are keen to help and support organisations with their Data Protection compliance requirements. One of the sectors in which we are continuing to grow is the Healthcare sector, both public and private

What’s the difference?

Public organisations are Government owned and funded, these establishments are part of the National Health Service, better known as the NHS.

Private organisations are run independently from the National Health Service. Some private organisations are commissioned by the NHS, via Clinical Commissioning Groups (CCGs) to provide health and social care services on behalf of the NHS.

All public organisations and those contracted by the NHS, that is providing health or social care have a contractual obligation under the NHS England Standard Conditions Contract to complete the Data Security and Protection Toolkit (DSPT) annually, by the 30th of June.

What is the DSPT?

The DSPT is a standard that all organisations that have access to NHS patient data and/or systems must complete. The toolkit is designed to enable organisations to demonstrate how they meet the standard and to ensure patient data and confidentiality is handled correctly and kept safe and secure.

The tool is measured against the National Data Guardian’s 10 Data Security Standards which are organised under 3 leadership obligations. More information about the standards can be found here:

First Steps

If you fit the above criteria, and you haven’t registered, then you will need to register, you can do this here

To do so, you will need an email address and your organisation’s code (also known as an ODS Code). Once you log in for the first time, you will be asked to choose the most appropriate sector (Optician/ trust/ ICBs) your organisation falls into. It’s very important you get this right as the answer you give will tailor the questions you need to respond to within your assessment.

In addition to this, you will need to include details of key roles and whether you have any relevant certifications (CE+/ ISO 27001).

Following registration, you will have until the 30th of June to complete a ‘Standards Met’ assessment. All mandatory fields must be completed, the number of which is determined by your organisation type.

Next steps…

Once you have registered, or if you have already registered then you will need to complete the toolkit to the best of your ability whilst submitting evidence as part of the DSPT.

It is your responsibility to provide substantial evidence that demonstrates you have fulfilled the requirements to meet the standards.

It’s not just a box-ticking exercise. There is a chance that you could be audited against by either the ICO or NHS Transformation (Previously NHS Digital) and they will review whether the evidence that is submitted matches your answers within the toolkit.

There are other instances where the evidence may be reviewed; say for example you had a breach and the ICO looks at your DSPT and your status is ‘Standards Met’ they will ask to see the evidence you submitted to find the reason as to why a breach has occurred.

Therefore, it is paramount that the evidence you submit accurately reflects the answers you submit.

Completion of the DSPT

Once complete you can then publish your assessment. You can update and republish the assessment as many times as necessary up until the deadline in June. It is critical that at least one assessment has been published by the 30th of June.

Category one organisations (NHS Trusts, ALBs, CSUs and ICBs) are also required to submit a bassline publication by 28th February, that’s 6 months before the final deadline.

Upon completion of the DSPT and once the deadline has passed, each organisation will be categorised into one of four statuses’

These statuses’ are:

  • Standards not Met
  • Approaching Standards
  • Standards Met
  • Standards Exceeded

What’s the importance of meeting the standards?

Organisations within the sector store data… tons and tons of data. Under the UK GDPR health data is classed as special category data, which means the data is high risk. Therefore, it is so important for organisations to complete the DSPT to the best of their ability.

It acts as an assurance tool that informs whether an organisation controls and handles data safely. Whether this is a patient looking to use your services or a third party with which the personal data will be shared with, they will want to know that you as an organisation have the correct policies and procedures in place to keep the risk to a minimum.

What if we do not meet the standards of the DSPT?

If an organisation does not meet one or more of the National Data Guardian’s 10 Data Security standards, then it should submit an action plan. The action plan will detail how the organisation is going to make amendments needed to meet the standards that have not currently been met.

Concerns of the DSPT.

The DSPT is not a particularly easy thing to complete, especially for the individual(s) who is given the responsibility to complete the toolkit as they will have various other responsibilities to carry out as part of their job.

It often gets pushed to the side and forgotten about until the deadline is a few months away and suddenly it is nothing but PANIC!!! Resulting in the DSPT being rushed and you, as an organisation, not getting the full value in completing the toolkit properly and with care.

The DSPT should be completed throughout the year, being added to as you go about your daily monitoring and reviews. I get that not every organisation has the resource to do this, or simply struggle to fulfil the requirements set out, but you should not let this hinder your ability to complete the toolkit – reach out for help, there’s plenty out there…

Learn more

If you would like to learn more about the Data Security Protection Toolkit (DSPT) please visit our events page and register for this weeks event where we will be joined by the brilliant barry moult to discuss the DSPT. Barry will be joined by other leading experts to discuss the toolkit and the annual requirement for it. Check it out here: Data Security Protection Toolkit; Understanding The Changes

Need support with the DSPT

If you need a hand or would like us to review your answers and evidence, then get in touch: Contact Us