Less than two months remain for healthcare organisations to demonstrate compliance with NHS Digital’s DSP (Data Security and Protection) Toolkit. To avoid the disruption caused by not meeting this deadline, organisations need to be aware of the changes that the DSP Toolkit brings compared to its predecessor, the IG (Information Governance) Toolkit.
Unsure if you need to comply? Ask a healthcare expert >>
Data security standards and the GDPR
The ten data security standards set out by the National Data Guardian apply to all organisations that handle health and social care information. These standards form the main assertions of the DSP Toolkit and do not differ too greatly from the requirements of the IG Toolkit.
The standards cover aspects of data security, consent and opt-outs, and are clustered under three leadership obligations:
- People: Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
- Process: Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
- Technology: Ensure technology is secure and up to date.
In addition to these data security standards, the DSP Toolkit requires organisations to demonstrate how they comply with the GDPR (General Data Protection Regulation).
The GDPR was introduced in May 2018 as a pan-European data protection law. This is supplemented in the UK by the DPA (Data Protection Act) 2018, which fills out the sections of the Regulation that were left to individual member states to determine. The DSP Toolkit requires organisations to meet the key requirements, as identified in NHS Digital’s GDPR checklist.
Staff awareness has been added as a requirement of the DSP Toolkit to tackle the risks that poor education around data handling poses to healthcare organisations. The IG Toolkit mandated certain training procedures, which is roughly in line with the third data security standard: “all staff complete appropriate annual data security training and pass a mandatory test”. However, the DSP Toolkit takes this a step further, demanding staff awareness by default. It must now be part of an overall organisational security culture.
The CQC (Care Quality Commission) will inspect registered organisations and give them a rating based on certain ‘key lines of enquiry’ (KLOEs). The CQC’s ratings will be based on evidence from the organisations’ submissions. Providers will have one of four ratings, from ‘inadequate’ to ‘outstanding’, based on how well each mandatory assertion of the DSP Toolkit has been met.
In addition to the CQC’s inspection, organisations are expected to take a much more active approach in demonstrating their compliance. To avoid the DSP Toolkit becoming another lengthy tick-box exercise, submissions require additional information, including named individuals responsible for information security, and relevant documentation and/or certification to be evidenced.
How to prepare for the DSP Toolkit
In preparation for the DSP Toolkit, organisations should consider updating their documentation to meet the new standard. IT Governance Publishing’s (ITGP) DSP Toolkit Documentation Templates have been created by information security experts within the healthcare sector. The templates are aimed at organisations across both ‘small’ and ‘large’ organisation categories (as defined by the DSP Toolkit).
View the full contents of ITGP’s documentation templates >>
Buy the DSP Toolkit Documentation Templates in February to receive one free hour of Live Online consultancy with a member of our healthcare team, who can help you plan your implementation project.
For more information on complying with the DSP Toolkit, speak to one of our experts >>