Navigating the NHS DSP Toolkit (DSPT) Deadline 2023:

Ensuring continuing compliance with the Data Security and Protection Standards

As the use of technology continues to advance in healthcare, so does the need to protect sensitive patient data. In an era where data breaches and cyber threats have become increasingly common, organisations in the healthcare sector are under significant pressure to implement robust data security measures. In the United Kingdom, the Data Security and Protection Toolkit serves as a crucial tool to enhance data protection practices whenever NHS patient data is processed. With the deadline for organisations to make their annual DSPT submission looming on June 30th, healthcare organisations must understand the significance of DSPT and take the necessary steps to meet the requirements. In this article, we will explore the importance of the Data Security and Protection Toolkit, and its key components, and provide practical insights to help organisations meet the upcoming deadline.  Our inhouse DSPT consultants can assist you in making a submission.

Understanding the DSP Toolkit:

12 months after the WannaCry cyber-attack in 2017, the Data Security and Protection Toolkit was introduced by the UK Department of Health and Social Care, to assist healthcare organisations to demonstrate their commitment to protecting sensitive information. The DSP Toolkit serves as an audit framework designed to assess and improve data security standards across the NHS and the wider healthcare sector, that handles NHS patient data. All organisations that that process NHS patient data or have access are required to make a DSPT submission. It replaces the previous Information Governance Toolkit (IG Toolkit) and is based on the 10 data security standards developed by the National Data Guardian.  

Key Components of the DSP Toolkit:  

1. Web-based reporting portal: The DSP Toolkit is an online platform where registered organisations are required to make assertions on the quality of their data security and privacy controls. Each assertion is recorded with the name of the individual making the assertion together with the date and time of when the assertion was made. Some of the assertions require specific items of evidence to be uploaded into the portal. An example of this is requirement 1.1.2 where the organisation is asked ‘Does your organisation have an up-to-date list of the ways in which it holds and shares different types of personal and sensitive information?’ 1 For this assertion, the organisation is asked to provide a copy of its information asset register (IAR) and the ‘Record of Processing Activities ROPA’ that records its sharing of personal data, as evidence to substantiate the assertion.  

2. How many questions are in a DSPT submission: Organisations are graded into 4 categories. NHS Trusts are categorised as ‘Category 1’ and have the most requirements to meet. Most commercial and educational organisations are categorised as ‘Category 3’.   In the DSPT assessment for 2022-23 (v5), a typical ‘Category 3’ organisation is required to make 42 mandatory assertions.  Before an organisation can submit its DSPT assessment, the assertions have to be signed off at board level.  Each year, the DSPT is revised and changes are made to address heightened risks.  

3. Leadership Obligations: Demonstrating strong leadership commitment to data security and establishing clear accountability structures within the organisation.  

4. Data Security Standards: Meeting 10 specific data security standards set by the National Data Guardian, covering topics such as risk assessment, incident management, staff cyber security & privacy training etc.  

5. Evidence Collection: Gathering evidence to support compliance with the DSP Toolkit requirements, including policies, procedures, risk assessments, audit checks etc.  

6. Annual Submission: Completing and submitting the DSP Toolkit self-assessment on an annual basis to demonstrate compliance.  

7. Meeting the Deadline: With the compliance deadline of June 30th rapidly approaching, healthcare organisations must take proactive steps to ensure they meet the requirements of the DSP Toolkit. Here are some practical insights to navigate the deadline successfully:  

• Complete a DSPT Gap Analysis Assessment: Conduct a comprehensive review of your organisation's existing data security practices to identify any gaps and areas that need improvement.  

• Engage Stakeholders: Involve key stakeholders, such as IT teams, privacy leads, compliance officers, and senior management, to create a collaborative approach towards achieving compliance.  

• Develop an Action Plan: Create a detailed roadmap outlining the steps required to meet each of the data security standards set by the DSP Toolkit and assign responsibilities. 

• Staff Training and Awareness: Make sure you start the staff training exercise as soon as possible. As 95% of staff are required to have successfully completed the training in the last 12 months, organisations new to DSPT often struggle with this requirement. Organisations are recommended to organise and complete the free eLearning course and provide regular training sessions and awareness programmes to educate employees on data security best practices and their role in safeguarding sensitive information.  

• Implement Technical Controls: Invest in robust technological solutions, such as data encryption, access controls, End Point Security, Information Asset Register etc, to boost your organisation's data security infrastructure.  

• Documentation and Evidence Gathering: Ensure all necessary policies, procedures, and risk assessments are documented and readily available for submission as evidence of compliance.  

• Regular Auditing and Testing: Conduct periodic audits and assessments to identify and address any potential weaknesses in your data security and privacy practices.  

The DSP Toolkit represents a significant milestone in the journey toward enhancing data security and safeguarding the privacy of NHS patient data in the healthcare sector. As the 2023 deadline approaches, healthcare organisations must prioritise compliance efforts to safeguard sensitive information effectively. By understanding the key components of the DSP Toolkit and implementing the necessary measures, organisations can instil confidence in patients, stakeholders, and regulatory bodies alike, demonstrating their commitment to data security and compliance in an increasingly digital world.  

Do you need help with your DSPT submission?  

 If you need help with your DSP Toolkit submission then we can assist.  Our inhouse DSPT consultants are experts in the field of cyber security, information security management and data protection. We will work with you and your staff to implement these requirements and make a successful submission.  

1  Information from NHS England, licenced under the current version of the Open Government Licence