The Data Security and Protection Toolkit (DSPT), an online tool, is undergoing significant changes. From September 2024, the DSPT will now align with the National Cyber Security Centre’s Cyber Assessment Framework (CAF) to enhance cybersecurity measures across the NHS. This shift will impact many NHS organisations and require adjustments to their data security and protection toolkit strategies.

Understanding the concept of ‘toolkit completion’ is crucial, as it involves defining the scope and compliance considerations, determining whether to approach this as a single research group or a broader unit and understanding data flows and compliance status to manage associated risks effectively.

What is DSPT Compliance?

DSPT, or Data Security and Protection Toolkit, is a comprehensive framework established by the National Health Service (NHS) to safeguard patient information. It outlines a set of standards and guidelines practising good data security that organisations handling NHS patient data must adhere to, including the scope and compliance considerations involved in toolkit completion.

DSPT adherence ensures that NHS data is protected from unauthorised access, misuse, disclosure, modification, or destruction.

Benefits of DSPT

Enhanced data security and protection: DSPT compliance fosters a robust data security and protection culture, reducing the risk of cyberattacks and maintaining patient trust. This proactive approach safeguards sensitive information and prevents data breaches and financial losses.

Improved patient trust: Demonstrating complete DSPT adherence reinforces patient confidence in securely handling their personal health information, building trust and potentially improving patient outcomes.

Legal and regulatory compliance: Non-compliance with DSPT can lead to severe legal and financial penalties. Adhering to DSPT mitigates legal risks, protects reputation, and aligns with regulations like GDPR for comprehensive information governance requirements.

Access to NHS systems and services: Complying with DSPT allows organisations to participate in NHS systems and services and improve processes, enabling valuable collaboration, data sharing, and service delivery opportunities.

Who should comply?

DSPT compliance is mandatory for any organisation that should handle information responsibly. This includes:

• Healthcare providers (hospitals, GP surgeries, clinics)

• Social care organisations

• Pharmaceutical companies

• Insurance providers

• Any third-party organisation involved in the processing of data

NHS DSPT Requirements

DSPT involves a structured approach to data security. It consists of two primary components:

• Mandatory assertions: These are core requirements that all organisations must meet. They cover fundamental aspects of data security, such as access control, data encryption, and staff training.

• Optional assertions: These provide additional measures for organisations handling higher-risk data or seeking advanced levels of protection. They include risk assessments, incident management, and data retention policies.

Toolkit completion is crucial in meeting mandatory and optional assertions, as it helps define the scope and compliance considerations involved in a toolkit submission.

All staff must handle, store, and transmit all personal confidential data, documents and personal confidential data securely, whether in electronic or paper form.

New changes to DSPT Compliance in 2024

The DSPT is being updated to use the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as its foundation for cybersecurity assurance and information governance. This change will impact a range of NHS organisations, including trusts, foundation trusts, and integrated care boards. NHS trusts will need to comply with the new requirements by June 2025.

The DSPT Toolkit

The DSP Toolkit is an essential online self-assessment tool designed to help organisations measure and improve their data security practices. It is a crucial component of achieving and maintaining DSPT compliance.

Toolkit completion is vital in determining the scope and compliance considerations to effectively manage associated risks, whether as a single research group or a broader unit.

Overview of the Online Self-Assessment Tool

The DSP toolkit is structured around the National Data Guardian’s ten security standards. It guides organisations through a series of questions and prompts to assess their performance against data security standards in critical areas such as:

• Staff training and awareness

• Data access and sharing

• Device and network security

• Incident management

• Risk management

Toolkit completion is crucial in assessing and improving data security practices by defining the scope and compliance considerations involved in undertaking a toolkit submission.

By answering these questions, organisations can identify and measure the strengths and weaknesses in their data security practices.

Key Components of the DSPT Toolkit (Data Security Protection Toolkit)

The toolkit comprises several key components:

• Self-assessment questions cover various aspects of data security, allowing organisations to evaluate their compliance level.

• Guidance and support materials: The toolkit clearly explains data security standards and best practices, offering support throughout the assessment process.

• Action planning: After completing the DSPT toolkit, it helps organisations create action plans to address identified gaps in their data security measures. Toolkit completion helps evaluate compliance levels and develop action plans by determining whether to approach this as a single research group or a broader unit while also understanding data flows and compliance status to manage associated risks effectively.

• Reporting functionality: The toolkit generates reports that summarise an organisation’s performance and highlight areas for improvement.

How to Use the Data Security Protection Toolkit

1. Access the toolkit: The DSPT toolkit is available online through the NHS website.

2. Register your organisation: Create an account for your organisation to access the toolkit.

3. Complete the self-assessment: Answer the questions honestly and accurately to assess your organisation’s data security practices. Understanding the scope and compliance considerations involved in ‘toolkit completion’ is crucial for effectively managing associated risks.

4. Review the results: Analyse the generated report to identify strengths and areas for improvement.

5. Develop an action plan: Create a plan to address any identified weaknesses and enhance data security measures.

6. Monitor and review: Regularly review and update your data security practices.

By effectively utilising the DSPT toolkit, social care organisations can demonstrate their commitment to data protection, provide assurance, mitigate risks, and build trust with patients and stakeholders.

How to Achieve DSPT Compliance?

Achieving DSPT compliance involves a systematic approach encompassing various data management and security aspects. Toolkit completion plays a crucial role in this process, as it consists of defining the scope, understanding data flows, and ensuring compliance to manage associated risks effectively. Here’s a step-by-step guide:

Gathering Necessary Information

Before starting the compliance implementation journey, gather essential information: inventory NHS patient data, determine staff roles and responsibilities, evaluate existing security measures, and conduct a risk assessment to identify threats and vulnerabilities.

Completing the Self-Assessment

Utilise the DSPT Toolkit to conduct a thorough self-assessment. This involves answering questions about your organisation’s data security practices. The toolkit will provide insights into your current state and highlight areas for improvement.

Toolkit completion is crucial in conducting a thorough self-assessment, as it helps define the scope and compliance considerations involved in the process.

Implementing Required Policies and Procedures

Based on self-assessment findings, develop and implement necessary policies: a data protection policy, an access control policy, data handling procedures policies, and an incident response plan for data breaches or security incidents.

Staff Training and Awareness

Ensure all staff handling patient data receive training on data protection responsibilities, including data protection awareness, security best practices, and correct data handling procedures.

You can effectively achieve and maintain DSPT by following these steps and continuously monitoring, updating, and implementing efforts.

How does the DSPT audit process work?

The DSPT audit process assesses and documents an organisation’s adherence to the Data Security standard. There are two primary types of audits: internal and external.

• Internal Audits: You assess against the DSPT toolkit and review policies and staff knowledge.

• External Audits: An independent assessor verifies compliance through document checks, interviews, and system checks.

Both audits help identify areas for improvement and provide information to strengthen data security processes.

Maintaining DSPT Compliance to protect NHS Patient Data and Systems

Consistent adherence to Data Security Protection Toolkit standards is crucial. Key practices include:

• Regular review and updates: Periodically assess your compliance status, update policies, and conduct staff training.

• Risk management: Continuously identify, assess, and mitigate data security risks.

• Incident response: Have a well-defined plan to respond to any data breach or security incident.

• Staff awareness: Foster a robust data protection culture through ongoing training and awareness programs.

• Technology updates: Keep IT systems, software, and antivirus protection up-to-date.

• Data minimisation: Only collect and retain necessary data.

• Data sharing agreements: Ensure secure data-sharing practices to get data transmitted securely with external organisations.

Several NHS trusts and healthcare organisations opt for cyber essentials certifications. Cyphere is an IASME accredited certification body for cyber essentials plus certification.

Summary

DSPT compliance ensures the protection of NHS data. Organisations handling such data must follow specific guidelines to ensure that the data is handled correctly. Unsupported operating systems or internet browsers without security updates pose a significant cyber risk. These systems are prime targets for cybercriminals due to their known vulnerabilities. The DSPT toolkit helps assess compliance with audits, both internal and external and verify adherence to data security standards.

FAQ

When is the DSPT compliance deadline?

Mostly, it’s the end of June every year that an organisation must submit DSPT.

Is the Data Security Protection Toolkit mandatory?

DSPT compliance is mandatory for any organisation that handles NHS data.

What is the purpose of the DSPT?

The DSPT is designed to help organisations measure their data security and protection practices against established standards, ensuring the safeguarding of NHS patient data and systems.

How often should penetration testing be conducted?

Penetration testing should be conducted regularly, ideally annually, or whenever significant changes are made to the IT estate to identify vulnerabilities and improve security measures.

Who is responsible for DSPT compliance within an organisation?

Typically, the Information Governance (IG) lead cyber security director or a designated data protection officer oversees DSPT compliance and ensures that all staff understand their security responsibilities.

What happens if an organisation fails to comply with DSPT?

Non-compliance can result in legal and financial penalties, loss of access to NHS contracts, and damage to the organisation’s reputation.

What is the role of the DSPT audit in maintaining compliance?

The DSPT audit process, both internal and external, helps assess adherence to data security standards, identify areas for improvement, and provide assurance that data protection measures are effective.