The NHS Data Security and Protection Toolkit (DSPT) is an annual online self-assessment that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
If you are a health or care organisation that processes health data or accesses NHS patient data and systems, you are expected to use the Data Security and Protection Toolkit to demonstrate your compliance.
This year’s DSPT submission must be completed by 30 June 2024.
For the 2023-24 period, NHS England has introduced significant changes to the DSPT. These updates are part of the ongoing development of the system and support the general shift in approach to data security training and sector categorisation.
The major change for this year’s submission is in the training and awareness requirements.
Until July 2023, the DSPT required organisations to train at least 95% of their staff through the national Data Security Awareness Level 1 e-learning or a local equivalent.
For the 2023-24 period, all staff members need to possess an ‘appropriate understanding of information governance and cyber security’.
This update allows for greater versatility in establishing training criteria. You’ll have the freedom to customise training rules based on the specific roles of your staff. There is also the flexibility to use a range of methods to deliver the training, provided the approach is proportionate to the size and type of your organisation.
Before delivering any training, you should conduct a A systematic assessment used in organisations to identify the current knowledge and skills of staff to ensure they meet the standards set for their role. .
NHS England provides an example of a TNA methodology option
There are also sector changes for 2023-24 DSPT submissions:
The requirement for Category 1 organisations to undertake an independent DSPT audit has not changed for the 2023-24 period. However, with the newly added ‘IT Supplier’ Category, the scope has been expanded.
‘IT Supplier’ Category 1 organisations are now also required to undertake an independent DSPT audit
Previously, all third-party private companies providing digital goods and services to the NHS were Category 3, under the sub-category of ‘Company’, which had different DSPT requirements to Category 1.
If you are a third-party company supplying digital goods and services to the NHS, the advice is to check the criteria of the new ‘IT Supplier’ category, as listed above, and ensure you understand the requirements of a Category 1 DSPT submission.
All IT suppliers falling within the Category 1 criteria must complete their first DSPT audit by the end of the 2023-24 period, 30 June 2024.
|General Practice (GP)
|Commissioning Support Unit (CSU)
|Arm’s Length Body
|CCG/Integrated Care Board (ICB)
|Other (including charities and NHS business partners)
|OES Independent Provider
|University (including researcher/department/secondary use)
NHS England also provides the list of organisation types for DSPT 2023-24
The DSPT can often be regarded as a tick box exercise that is delayed until the deadline looms. However, if you can foster a culture of data security and embed DSPT requirements into daily operations, yearly submissions become easy and worry free.
Here are some of the common mistakes organisations can make with the DSPT A series of actions or steps taken in order to achieve a particular end., along with best practice tips:
Delaying completion until close to the due date is the most common mistake. One of the worst things you can do is try to complete the toolkit with one week left before the deadline.
Tip: Start early and allow sufficient time for a thorough and accurate submission.
Dates and documents
When reviewing DSPT items, there are 4 response types:
For the Yes/No responses, it is important to represent your organisation’s status accurately. Answering ‘Yes’ to having something in place when this is not the case can result in non-compliance with DSPT requirements.
Health or care organisations that access or process NHS patient data are contractually bound to complete the DSPT by the NHS Framework Agreement for the Provision of Services. The NHS contracting body may view a failure to meet the DSPT standards or misrepresentation of DSPT status as a breach of contract. This could result in commercial liabilities and reputational damage.
Tip: Consider responses months in advance. Date and document responses cannot be completed at the last minute. In many cases, the dates and documents should be pinned to senior management or board level approvals and reviews, with preparatory work completed before the June board meeting.
There are some assertions that require cooperation with third parties, which may fall outside your organisation’s direct control and cause problems with submitting the DSPT within the deadline.
For example, tasks such as penetration tests and onboarding new technical suppliers to provide firewalls, antivirus, and other IT services, take time to implement and should be considered sooner rather than later.
Neglecting new assertions
Failing to address the updated requirements or standards can lead to incomplete submissions, especially if you need to provide new evidence to demonstrate compliance.
The best way to prevent an incomplete submission is to stay informed. Learn about the latest requirements and provide relevant, up-to-date evidence that reflects the most recent state of your data security measures.
Completing the toolkit in isolation is a common oversight. Failing to collaborate with key departments can result in incomplete or inaccurate evidence collection.
It is recommended that you engage with all relevant departments for an accurate representation of your status. This includes IT, HR, operational/senior leadership, and procurement. Each department will have its own evidence and insights that can contribute to a comprehensive and complete DPST submission.
Here are a few helpful departmental tips:
By systematically addressing these aspects and maintaining a proactive approach, organisations can minimise risks, establish a robust framework for compliance, and streamline the annual DSPT submission.
The DPO Centre offers a comprehensive DSPT Audit service to oversee all of the above. We provide advice and guidance for best practice data security and can identify the gaps in your current data security measures.
A DSPT assessment can be tailored to review your wider data protection requirements or focus only on your DSPT submission.
Contact us today to discuss how we can help
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible