First look at the new DSP Toolkit shows additional requirements for healthcare organisations

The Information Governance (IG) Toolkit is being replaced with the Data Security and Protection (DSP) Toolkit from April 2018, giving healthcare organisations until 31 March 2019 to comply with the new, more comprehensive guidelines.

NHS Digital has released the draft assertions that will form the DSP Toolkit and is hosting a series of webinars aimed at demonstrating the new system. The toolkit addresses the data security standards as proposed by the National Data Guardian Review and offers different mandatory requirements based on the size and nature of the organisation.

In addition to updating the toolkit to reflect current compliance obligations, the DSP Toolkit introduces new criteria that organisations must address in order to comply, including:

  1. Data Security Standard 5: Organisations will be required to review their processes annually to identify processes that have caused a breach or a near miss and plan for continual improvement of cyber security measures.
  2. Data Security Standard 7: Organisations will be required to have a business continuity plan that is available to deploy should a cyber incident or data breach occur. This plan should be tested annually.
  3. Data Security Standard 10: Large organisations will be required to flag suppliers who fall significantly short of the security standards identified by the National Data Guardian and the DSP Toolkit.

The deadline for completing the DSP Toolkit is 31 March 2019, although larger organisations are requested to complete their submissions by October 2018. The DSP Toolkit will be available to complete from April 2018. Organisations that have submitted their IG Toolkit v14.1 will be invited to register their account for read-only access prior to this in a phased rollout.

Organisations holding Cyber Essentials Plus certification will be able to prepopulate some required criteria when completing their toolkit application, as the conditions to achieve certification surpass the expected standard of the toolkit.

More information on achieving Cyber Essentials Plus is available on the IT Governance website.

One thing that won’t be changing is the type of organisations that need to demonstrate DSP Toolkit compliance. In their online FAQ, NHS Digital states that “[t]he general guidance on which organisations need to complete the toolkit is unchanged”.

If your organisation requires DSP Toolkit compliance, or if you are unsure if this applies to you, talk to one of our healthcare experts who will be able to advise which toolkit is applicable to you.

You might also be interested in our free brochure, Cyber security in healthcare.