The NHS Data Security and Protection Toolkit (DSPT) is an annual, online assessment that measures performance against the 10 Data Security Standards developed by the National Data Guardian (NDG).
The DSPT assesses an organisation’s compliance with legal requirements, NHS policy and best practice around data security and protection.
Navigating the DSPT can be time-consuming and challenging – but it doesn’t have to be. With decades of experience in administering data protection law in health and social care settings, we’ll help you pass confidently, first time and maintain your compliance year after year.
If you provide health IT systems or services to the NHS or UK health and social care sector, it’s likely you’ll need to submit a DSPT.
The DSPT is a requirement under the NHS Standard Contract Terms for all suppliers to the NHS. If you want to secure NHS contracts, or you’re already working with publicly funded health and social care providers or commissioners in the UK, you’ll need to achieve and maintain ‘standards met’ against the DSPT requirements.
The DSPT is also a key component of the Digital Technology Assessment Criteria (DTAC), which means compliance with the DTAC is dependent on achieving a ‘standards met’ DSPT submission.
In most cases, you’ll need to complete your first DSPT early on in your journey to market, as part of DTAC compliance or in response to an NHS client request.
Book a free, no-obligation discovery call with one of our clinical safety officers.
Book a free, no-obligation discovery call with one of our data protection experts.
Our DSPT as a service is designed for organisations with limited or no experience of the DSPT requirements.
We’ll review your current practices and tailor our support to your existing data security and protection arrangements. Our end-to-end support for DSPT submissions includes:
Reviewing your existing approach to data security and compliance
Providing guidance on how to become compliant
Registering your organisation to allow you to make your submission
Creating an infrastructure that best suits your business practices
Preparing any documentation required
Facilitating workshops to complete your Records of Processing Activities (ROPA)
Implementing and embedding key compliance procedures and activities including: Data breach reporting and management, Business continuity, Data Protection Impact Assessment (DPIA) and Data Protection by Design and by Default, Data Security and Protection Awareness training for staff
Collating all evidence and completing your DSPT submission on your behalf
Recommending any further controls, actions or activities needed to maintain compliance
Working with you to ensure your compliance and submission is maintained over time
Most organisations handling health or social care information have a legal duty under the Data Protection Act 2018 to appoint a Data Protection Officer (DPO). This will almost certainly be the case for organisations providing health IT systems or services to the NHS.
The Data Security and Protection Toolkit or “DSPT” as it is sometimes known, is an online self-assessment tool which measures the performance of any organisations that process health and care data, against the National Data Guardian’s 10 data security standards. You can learn more about the history of the DSPT and other NHS health and care compliance standards in our blog here.
The Data Security and Protection Toolkit (DSPT) is an annual assessment so must be renewed every year. The deadline for completing and submitting the DSPT each year is 30th June.
Need help? Get in touch before 30th May to qualify for support from our team.
The DSPT is a contractual requirement under the NHS the Standard Contractual Terms and a requirement for inclusion on NHS Frameworks. It must be completed annually by any supplier of health IT systems or services to the UK NHS health and social care sector.
The DSPT is also a key component of the Digital Technology Assessment Criteria (DTAC). To demonstrate compliance with the DTAC you will need to hold and maintain a DSPT submission to ‘standards met’.
A DSPT will demonstrate to your NHS health and social care clients and the public that you take data security and protection seriously.
In most cases, you will need to complete your first DSPT early on – often in the journey to market, as part of DTAC compliance, or in response to an NHS client request.
If you supply health IT systems or services to the UK health and social care sector, you will need to maintain and evidence your compliance with Data Protection Law, including the Data Protection Act 2018 – the UK’s implementation of the General Data Protection Regulation (GDPR) – for the duration of your contract.
Data protection compliance isn’t a one-off tick box exercise – it’s something which needs to be embedded into your day-to-day processes. Data protection law also requires you to demonstrate that you are complying with the law through the maintenance of records which show your organisation is accountable and processes are being routinely followed.
As your business grows and as the data protection landscape evolves, your practices will also need to evolve.
There is a legal duty under the UK GDPR to appoint a Data Protection Officer (DPO) if your business processes ‘special category’ data such as health or social care information. If you supply health IT systems or services to the UK health and social care sector, you will need a named DPO. Having a named DPO will also give your NHS health and social care clients and the public confidence that you take data security and protection seriously.
DPOs monitor internal compliance, advise on your obligations including Data Protection Impact Assessments (DPIAs) and act as a point of contact for data subjects and the Information Commissioner’s Office (ICO). A DPO helps demonstrate your compliance with data protection law and will be focused on accountability.
The ICO stipulates that your DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level. Your DPO can be an employee or externally appointed.
Still not sure if you need a DPO? The ICO provides a helpful self-assessment tool to help you navigate the requirements and understand if you need a named DPO. You can also find further information here.
It’s entirely possible to complete the DSPT yourself, but the bigger question is, can you afford to get it wrong?
Don’t wing it. Most organisations that provide health IT systems or services to the NHS will fall into Category 3 with 35 Assertions and 42 mandatory evidence items which must be provided or responded to in order to achieve the ‘standards met’ certification.
Unless you’re 100% clear on your obligations under the DSPT (data protection, data security, information governance and management) it’s not worth taking the risk. It could cost you more in the long run in customers, contracts, risk management, your reputation, fines, and most importantly, patient and clinical safety.
It’s much more cost-effective to outsource to experts like 8fold with decades of experience in health and social care compliance, so you can focus on the crucial task of growing your business.
For more information about what good governance looks like, you can also visit the CQC website.
We provide full support in all elements of DTAC including:
We’ll review your DTAC compliance
FOR FREE!
Let’s see how we can help you navigate DTAC or any other aspect of information governance, data protection or clinical safety.
Let’s see how we can help you navigate DTAC or any other aspect of information governance, data protection or clinical safety.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |