Planned digitisation of patient data and the rising threat of cyber crime mean data protection and security is rapidly becoming a priority for healthcare organisations.
In response, the Information Governance Toolkit (IG Toolkit) is being replaced with the Data Security and Protection Toolkit (DSP Toolkit) as the assurance framework for all health and social care organisations. Organisations will be required to complete the DSP Toolkit from April 2018, just one month before the EU General Data Protection Regulation (GDPR) and the Security of Network and Information Systems (NIS) Directive come into force.
The Department of Health (DoH), in conjunction with NHS England, has released guidance on these changes in the 2017/18 Data Security and Protection Requirements. This document outlines the steps that will need to be taken for organisations to demonstrate implementation of the ten data security standards recommended by the National Data Guardian, and details the statutory obligations that most healthcare organisations will face from April 2018.
The data security standards are grouped into three leadership obligations: people, processes and technology. Requirements include training staff to an appropriate data security and protection standard, business continuity planning to respond to cyber security incidents and checking that suppliers hold the necessary certification, including Cyber Essentials and ISO 27001 where appropriate.
The DSP Toolkit requires healthcare organisations to comply with a checklist of requirements in adherence with the GDPR.
Data security as a board-level objective
Leadership Obligation One – People
“Senior Level Responsibility: There must be a named senior executive to be responsible for data and cyber security in your organisation. Ideally this person will also be your Senior Information Risk Owner (SIRO), and where applicable a member of your organisation’s board.”
As detailed in the National Data Guardian Review, “The IG Toolkit has often been seen as a tick-box exercise.” The DSP Toolkit aims to change this by highlighting data protection as a key part of company culture, and putting it on the radar of senior management and board-level employees.
How this is achieved is yet to be determined, although it is likely that compliance will be audited for NHS organisations.
Compliance as a culture
Achieving ISO 27001-accredited certification demonstrates that an organisation is implementing information security best practice.
ISO 27001 delivers the appropriate technical controls, policies and procedures, and promotes a culture of awareness of information security. Achieving ISO certification helps provide evidence to the regulator that an organisation has taken the necessary steps to comply with the data security requirements of the GDPR.
IT Governance is globally known as the authority on ISO 27001. Our team successfully led the world’s first ISO 27001 certification project and has worked for the past 15 years to hone our tools and solutions, including toolkits, training, standards, software and consultancy.
Bringing together this range of products, our DIY packages offer the most comprehensive mix of ISO 27001 tools and resources on the market to meet the unique needs of an organisation. Discover a tailored approach to certification with one of our four expertly curated packages.