Earlier this year, NHS Digital confirmed that it was extending the 2020/2021 assessment period for DSP (Data Security and Protection) Toolkit until 30 September in light of the COVID-19 pandemic.
Organisations now have until March 2021 to achieve compliance. In this blog, we explain what you need to do and how you can get started.
Data security standards and the GDPR
The ten data security standards set out by the National Data Guardian apply to all organisations that handle health and social care information.
These standards form the main assertions of the DSP Toolkit and do not differ too greatly from the requirements of the IG (Information Governance) Toolkit.
The standards cover aspects of data security, consent and opt-outs, and are clustered under three leadership obligations:
- People: Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
- Process: Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
- Technology: Ensure technology is secure and up to date.
In addition to these data security standards, the DSP Toolkit requires organisations to demonstrate how they comply with the GDPR (General Data Protection Regulation).
The GDPR was introduced in May 2018 as a pan-European data protection law. This is supplemented in the UK by the DPA (Data Protection Act) 2018, which fills out the sections of the Regulation that were left to individual member states to determine. The DSP Toolkit requires organisations to meet the key requirements, as identified in NHS Digital’s GDPR checklist.
Staff awareness has been added as a requirement of the DSP Toolkit to tackle the risks that poor education around data handling poses to healthcare organisations.
The IG Toolkit mandated certain training procedures, which is roughly in line with the third data security standard: “all staff complete appropriate annual data security training and pass a mandatory test”.
However, the DSP Toolkit takes this a step further, demanding staff awareness by default. It must now be part of an overall organisational security culture.
The CQC (Care Quality Commission) will inspect registered organisations and give them a rating based on certain ‘key lines of enquiry’ (KLOEs). The CQC’s ratings will be based on evidence from the organisations’ submissions.
Providers will have one of four ratings, from ‘inadequate’ to ‘outstanding’, based on how well each mandatory assertion of the DSP Toolkit has been met.
In addition to the CQC’s inspection, organisations are expected to take a much more active approach in demonstrating their compliance.
To avoid the DSP Toolkit becoming another lengthy tick-box exercise, submissions require additional information, including named individuals responsible for information security, and relevant documentation and/or certification to be evidenced.
Achieve DSP Toolkit compliance
You can accelerate your DSP Toolkit compliance project with our comprehensive tools and templates.
Designed and developed by expert data security and governance specialists, this handy set of documentation templates contains all the documents and tools you need to achieve full compliance.
Save time and money with more than 80 ready-to-implement policies and procedures and start your DSP Toolkit compliance project today.
A version of this blog was originally published on 19 February 2019.