NHS DSP Toolkit Consultancy
What is the NHS DSP Toolkit?
A compliance programme required by organisations dealing with NHS data.
Focusses on information security and privacy issues relating to how you handle and protect NHS patient data.
Why DLP Assured to help with your NHS DSP Toolkit submission?
Let us do the heavy lifting. Our NHS DSP Toolkit experts will make it easy for you. Using our tried and tested ‘DLP Data Protection Framework’ to fast-track and speed your DSP Toolkit project.
What do we need to do to get NHS DSP Toolkit?
Working with your DLP consultant and using the ‘DLP Data Protection Framework’ which contains the policies and procedures required to meet the 10 DSP standards. We will work with you to implement these requirements and make a successful submission.
You are always in control
All projects have free access to our unique DLP Toolkit online project dashboard. This helps you plan and allocate tasks, track progress and provide management control to help keep your project on track.
You are in expert hands
DLP consultants have significant experience with NHS DSP Toolkit projects.
The consultant team are experts and highly qualified in information security, information security management, cyber security, and privacy.
DLP Assured have undertaken many DSP Toolkit projects (and previous NHS IG Toolkit) and have never had an unsuccessful submission.
In the unlikely circumstance that your submission is not successful we will work with you ‘free of charge’ to ensure a successful submission.
Your route to DSP Toolkit success
Use our DLP Toolkit starter programme to get you on-track, quickly and with minimum effort.
Simplify the complexity of the DSPT by using our unique documentation set together with our SaaS based DSP Toolkit Governance system.
If you already have a successful DSP submission and wish to have this independently checked, see our DSP Toolkit Audit service.
NHS DSP Toolkit FAQ
DSP Toolkit submissions have to be made annually, for some organisations this is every 6 months.
A DSP toolkit login provides access to an organisation’s NHS Data and Security Protection Toolkit account that is located on the NHS Digital portal: dspttoolkit.nhs.uk
The DSPT requirements cover the scope of the topics described in the National Data Guardian’s 10 data security standards. These standards cover privacy and information security management, along with some specific compliance requirements that are unique to the NHS such as the national opt-out policy.
The deadline for the 2021-2022 publication is 30 June 2022.
The DSP Toolkit Register is an online listing of those organisations, companies, charities etc, that are registered with NHS Digital to publish a Data and Security Protection Toolkit assessment. The register lists the status of an organisation’s most recent Data Security and Protection Toolkit self-assessment. Each entry in the DSPT Register lists the organisation's name and its ODS code, together with the published date and the organisations latest DSPT status.
Organisations (as a minimum) are required to obtain a 'Standards Met' status.
There are 4 values for the latest status:
- Standards Met - The organisation meets all the mandatory requirements (for the particular organisation category).
- Standards Exceeded - The organisation has obtained Cyber Security Plus certification and therefore has exceeded basic requirements.
- Approaching Standards -For social care organisations, this category indicates that not all the mandatory requirements have been met but the organisation is in contact with NHS Digital and are in the process of making improvements.
- Not Published - the organisation is registered to make a DSP Toolkit submission but has yet to do so.
The DSP Toolkit Incident reporting tool is designed to make it easy to report an incident without having to refer to detailed guidance. The purpose of the tool is to record key aspects of the incident for GDPR and NIS regulation reporting (NIS: Security of Network and Information Systems Directive). NIS only applies to NHS Trusts, NHS Foundation Trusts, and those persons specifically designated by the Secretary of State for Health and Social Care.
The tool presents a series of questions to record the facts of what happened. All questions must be answered before an incident can be reported however security incidents involving the loss of personal data must be reported within 72 hours of the organisation becoming aware of the incident.
By using the DSPT Incident reporting tool, the incident will be automatically reported to the ICO, the Department of Health and Social Care, NHS England and the National Cyber Security Centre.
16 questions are asked:
- What has happened?
- How did you find out?
- When did you become aware of the incident?
- Was the incident caused by a problem with a network or an information system?
- Is there a Local Incident ID?
- When did the incident start?
- Is the incident still on going?
- Have Data Subjects or Users been informed?
- Does this incident impact across a national border?
- Have you informed the Police?
- Have you informed any other regulatory bodies about this incident?
- Has there been any media coverage of the incident (that you are aware of)?
- What other actions have already been taken or are planned?
- How many citizens are affected?
- Who is affected?
- What is the likelihood that citizens' rights have been affected?
To check the DSP Toolkit status of an organisation go to -> NHS DSPT Organisation Search
The search will display the 'latest status'. Do note that the year of the latest submission is also displayed.
An NHS DSP Toolkit self-assessment records an organisation's level of compliance with the National Data Guardian’s 10 data security standards.
The National Data Guardian’s standards were first published in 2019 and are designed to incorporate all the applicable laws and regulations (and relevant good information management practices) that apply to organisations processing NHS patient data.
The principal focus is to highlight the good information security and privacy practices that the NHS expects organisations to implement and follow. Back in 2018, the NHS was significantly impacted by the ‘Wanna Cry’ ransomware attack, which prompted a review of the role of information governance and how it could be changed to provide better protection from cyber threats. This review resulted in an updated governance framework giving greater emphasis on the mitigation of IT risks:
The 10 DSP standards are as follows:
Leadership Obligation 1: People: ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
- Data Security Standard 1. All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes
- Data Security Standard 2. All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches.
- Data Security Standard 3. All staff complete appropriate annual data security training and pass a mandatory test, provided through the revised Information Governance Toolkit.
Leadership Obligation 2: Process: ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
- Data Security Standard 4. Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.
- Data Security Standard 5. Processes are reviewed at least annually to identify and improve processes that have caused breaches or near misses, or which force staff to use workarounds that compromise data security.
- Data Security Standard 6. Cyber-attacks against services are identified and resisted and CareCERT security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
- Data Security Standard 7. A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
Leadership Obligation 3: Technology: ensure technology is secure and up-to-date.
- Data Security Standard 8. No unsupported operating systems, software or internet browsers are used within the IT estate.
- Data Security Standard 9. A strategy is in place for protecting IT systems from cyber threats which is based on a proven cyber security framework such as Cyber Essentials. This is reviewed at least annually.
- Data Security Standard 10. IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the National Data Guardian’s Data Security Standards.
Organisations must apply to NHS Digital at firstname.lastname@example.org When applying, you must have an ODS code, which is provided by the Organisation Data Service, which is a separate department within NHS Digital and its purpose is to identify organisations across health and social care.
Making a successful DSPT self-assessment submission is a fairly simple process if the organisation has already established risk-based controls (and processes) that safeguard its systems and any data they hold.
In the case of a commercial organisation‘s DSP Toolkit submission (known as a Category 3 organisation), there are 90+ assertions presented, of which over 40 are mandatory and must be answered.
When the organisation believes they have completed their DSPT assertions, (as a minimum, they must complete all requirements that are marked 'mandatory') they select the ‘Publish’ option and the submitter is asked to confirm that the organisation’s management is aware of the assertions and that they are correct. When they publish, a summary record is displayed on the DSP Toolkit portal. If a company meets all the mandatory assertions, the status of the organisation is displayed as ‘Standards Met’.
The NHS Information Governance ( IG ) Toolkit was replaced in 2018 by the Data and Security Protection ( DSP ) Toolkit. A new portal was launched (enabling organisations that were required to submit a DSP Toolkit self-assessment ) to record their assertions and measure their alignment with the guidance issued by the National Data Guardian.
The new 10 Data Security standards focussed on establishing and maintaining controls in 3 areas: People, Process and Technology.
- People - Ensure staff are equipped to handle information respectfully and safely, according to the Caldicott Principles.
- Process - Ensure the organisation proactively prevents data security breaches and responds appropriately to incidents or near misses.
- Technology - Ensure technology is secure
Also, see What are the DSP Toolkit standards in this FAQ.
A DSPT submission must be made by the following types of organisation:
- the organisation has a contractual obligation as their supply agreement is based upon the NHS standard contract
- the organisation has access to or processes NHS patient data
- the organisation accesses NHS Digital systems such as Spine based applications or NHSmail
+44 (0)203 397 0142
DLP Assured Services Limited
152 - 160 City Road