The Data Security and Protection (DSP) Toolkit
From April 2018, the DSP Toolkit will replace the Information Governance (IG) Toolkit as the standard for cyber and data security for healthcare organisations.
Compliance with the DSP Toolkit requires organisations to demonstrate that they are implementing the ten data security standards recommended by the National Data Guardian Review as well as complying with the requirements of the General Data Protection Regulation (GDPR).
The DSP Toolkit will apply to all healthcare organisations: both NHS and industry partners.
NHS Digital has released the draft assertions of the DSP Toolkit, as well as giving certain organisations access to the prototype portal. The draft assertions indicate that organisations will have to demonstrate that they are implementing the guidelines set out in the 2016 National Data Guardian Review:
|
Data Security Standard 1
|
All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form.
|
|
Data Security Standard 2
|
All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
|
|
Data Security Standard 3
|
All staff complete appropriate annual data security training and pass a mandatory test.
|
|
Data Security Standard 4
|
Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
|
|
Data Security Standard 5
|
Processes are reviewed at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security.
|
|
Data Security Standard 6
|
Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
|
|
Data Security Standard 7
|
A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
|
|
Data Security Standard 8
|
No unsupported operating systems, software or internet browsers are used within the IT estate.
|
|
Data Security Standard 9
|
A strategy is in place for protecting IT systems from cyber threats, which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
|
|
Data Security Standard 10
|
IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.
|
Access to the prototype portal is available before April 2018 and provides a full list of the requirements by organisation type.
For more information or to discuss the changes relevant to your organisation, speak to one of our healthcare experts >>
Preparing for DSP Toolkit compliance:
The deadline for completing the DSP Toolkit is 31 March 2019, although larger organisations are requested to complete their submissions by October 2018. Beginning the compliance journey alongside other regulatory changes, such as the GDPR, means organisations can streamline their compliance activity, avoiding duplication and ultimately saving money.
-
DSP Toolkit Documentation Templates
Designed and developed by expert data security and governance specialists, this handy set of documentation templates provides all the documents and tools you need to ensure full compliance.
Find out more >>
-
DSP Toolkit Compliance Service
The DSP Toolkit Compliance Service is a bespoke consultancy service that delivers a detailed review of your organisation’s data protection regime, recommended corrective actions for achieving full DSP Toolkit compliance, updates to any necessary documentation, support and guidance to improve your security practices and an online submission of the DSP Toolkit to NHS Digital.
Find out more about this service now >>
-
DSP Toolkit Gap Analysis
The DSP Toolkit Gap Analysis is ideal for organisations new to the toolkit’s requirements. It delivers an expert, in-person assessment of your data security and privacy arrangements against the toolkit’s detailed specifications.
Find out more about this service now >>
-
DSP Toolkit FastTrack
The FastTrack™ service helps you meet the DSP Toolkit’s requirements quickly and effectively for a fixed price. Our team of data security and protection experts will outline exactly what is required to achieve full compliance and help implement any necessary remedial actions at a budget and in a timeframe convenient to you. Applicable to small organisations only.
Find out more about this service now >>
Staff awareness survey
The DSP Toolkit requires organisations to complete a staff awareness survey annually to quantify the level of preparedness for cyber incidents across the whole organisation.
The survey highlights 17 areas where employees should be adequately trained to understand their responsibilities to data security and how to maintain critical business functions within their role should a cyber incident occur.
More information on staff awareness training is available in our e-learning module >>
Cyber Essentials
Cyber Essentials is a world-leading, cost-effective assurance mechanism for companies of all sizes. The scheme provides five security controls that, according to the UK government, could prevent the majority of common cyber attacks.
Organisations with Cyber Essentials Plus certification will be able to prepopulate some criteria when completing their toolkit application, as the certification conditions surpass the expected standard of the toolkit. Achieving certification will also prepopulate many of the compliance statements within the online portal, reducing the time and cost needed to demonstrate compliance.
Click here to find out more about Cyber Essentials Plus >>
Safe data, safe care – CQC review
In July 2016 the Care Quality Commission (CQC) released its findings on safe data management in the NHS. It took three elements of data security into account: confidentiality, integrity and availability.
The CQC discovered that, although there was widespread commitment to data security, staff training and suitable infrastructure were not in place to manage this in line with day-to-day needs.
The CQC recommended six areas of improvement. The first four of these – leadership; information, tools and training; IT systems; and unsupported technology – have been addressed in the assurance guidance and will be requirements of the DSP Toolkit. The final two recommendations are:
-
Audit and validation
Arrangements for internal data security audit and external validation should be reviewed and strengthened to a level similar to those assuring financial integrity and accountability.
-
CQC assessment
We'll amend our assessment framework and inspection approach to include assurance that appropriate validation against the new data security standards has been carried out, and make sure inspectors are appropriately trained.
This suggests that NHS organisations will be audited against the standards set out in the DSP Toolkit as part of the CQC assessment framework and this will be reflected in an organisation’s CQC rating.
If your organisation requires DSP Toolkit compliance, or if you are unsure if this applies to you, talk to one of our healthcare experts >>
Speak to an expert
For more information and tailored guidance for your organisation, speak to one of our healthcare experts.