Version 5 of the NHS DSPT (Data Security and Protection Toolkit) for 2022-23 was published on 24th August 2022. The deadline for submission (or re-submission) of the annual assessment is Friday 30th June 2023.
All NHS standard contracts require suppliers to maintain a DSPT to a minimum of ‘standards met’ for the duration of the contract. The DSPT also forms a core pass/fail element of the Digital Technology Assessment Criteria (DTAC) which all new health technology adopted by the NHS must be assessed against. In addition to these requirements, the DSPT can also act as an excellent way of providing assurance both internally and externally to clients and the public that your organisation is committed to privacy, confidentiality and security and has implemented appropriate organisational and technical controls to protect personal data.
Most organisations that are external to the NHS but provide services to them fall into ‘Category 3’. There are 35 Assertions and 42 mandatory evidence items which must be provided or responded to by Category 3 organisations in order to achieve ‘standards met’.
Some questions to ask yourself before tackling the DSPT:
- Have you renewed your ICO registration?
- Are all your data security and protection policies and procedures still up to date?
- Have you been monitoring compliance with your policies and procedures?
- Have you got a Record of Processing Activities (RoPA) for your organisation and when was this last reviewed?
- Does your organisation’s IT system suppliers have cyber security certification?
- Does your organisation have a timetable which sets out how long you retain records for?
- Is the National Data Opt-Out Policy applicable to your organisation, and if so, is your organisation compliant?
- What does your organisation have in place to minimise the risks if mobile phones are lost, stolen, hacked or used inappropriately?
- Does your organisation have a business continuity plan that covers data and cyber security?
Many organisations complete their first DSPT early on in their journey. Often this will be in preparation for going to market, or in response to a request from a client. Policies and procedures which have been produced quickly or which may be effective when working at a small scale can quickly become unwieldy or ineffective as your organisation grows in size and complexity.
Are you confident that the evidence you submitted for your last NHS DSPT submission is still relevant, up to date and effective?
For Category 3 organisations DSPT submissions are currently a self-assessment and there is no requirement for these to be externally audited or assured. Many NHS organisations will therefore want to confirm that organisations have high quality evidence underpinning their DSPT submission and may request copies of key policies, procedures and other evidence.
How confidence would you be if you were asked to provide copies of your DSPT evidence?
The 8foldGovernance team has extensive experience in supporting the completion of NHS DSPT submissions for all categories of organisation. After reviewing your existing organisational Data Security arrangements, we will provide you with guidance on how to ensure compliance with the DSPT standards, assisting in the production of required documentation to a high standard of quality and completion of the online submission.
Our Data Security and Protection experts will tailor the service around your existing data security and protection practices and documentation to ensure the most streamlined adoption of DSPT requirements to ensure compliance. By working with your organisation’s staff we will be able to create a Data Security and Protection infrastructure that best suits your day to day business as usual workings.
The Data Security and Protection Toolkit requires that your organisation identifies a number of roles filled by different individuals including; an Information Security Lead, Caldicott Guardian, Information Governance Lead and Data Protection Officer. We know it can be difficult for already stretched staff to find the time to fill these roles and complete the necessary tasks that come with them. To counter this, 8foldGovernance also offers a DPO Support Service. With this we can work with you beyond the initial delivery of the DSPT, providing ongoing support for the right staff members providing assurance that you are compliant with the DSPT requirements and all information Governance – all year–round, year after year.