What is the NHS DSPT?
The NHS Data Security and Protection Toolkit (DSPT) is a required self-assessment for every organisation that has access to UK NHS patient data, including organisations that use NHSmail and the e-referral service.
Required evidence falls under the following categories:
- Staffing and Roles
- Policies and Procedures
- Data Security
- IT Systems and Devices
What are the possible DSPT assessment results?
Your organisation will achieve ‘Approaching Standards’ upon registration.
When you have completed all the mandatory evidence items, your organisation will achieve ‘Standards Met.’ The number of mandatory evidence items varies depending on your organisation type.
If your organisation achieves Standards Met and has a current Cyber Essentials Plus certification recorded in its organisation profile, its status will show as ‘Standards Exceeded’.
What are the mandatory evidence assertions for Standards Met?
1. Personal confidential data
1.1.1 What is your organisation’s Information Commissioner’s Office (ICO) registration
1.1.2 Does your organisation have an up to date list of the ways in which it holds and
shares different types of personal and sensitive information?
1.1.3 Does your organisation have a privacy notice?
1.1.5 Who has responsibility for data security and protection and how has this
responsibility been formally assigned?
1.2.1 Does your organisation have a privacy notice(s)?
1.2.4 Is your organisation compliant with the national data opt-out policy?
1.3.1 Does your organisation have up to date policies in place for data protection and for
data and cyber security?
1.3.2 Does your organisation monitor your own compliance with data protection policies
and regularly review the effectiveness of data handling and security controls?
1.3.7 Does your organisation’s data protection policy describe how you keep personal
data safe and secure?
1.3.8 Does your organisation’s data protection policy describe how you identify and
minimise risks to personal data when introducing, or changing, a process or starting a new
project involving personal data?
1.3.11 If staff, directors, trustees and volunteers use their own devices (e.g. phones) for
work purposes, does your organisation have a bring your own device policy and is there
evidence of how this policy is enforced?
1.3.12 How does your organisation make sure that paper records are safe when taken out
of the building?
1.3.13 Briefly describe the physical controls your buildings have that prevent
unauthorised access to personal data.
1.3.14 What does your organisation have in place to minimise the risks if mobile phones
are lost, stolen, hacked or used inappropriately?
1.4.1 Does your organisation have a timetable which sets out how long you retain records
1.4.2 If your organisation uses third parties to destroy records or equipment that hold
personal data, is there a written contract in place that has been reviewed since 1st July
2021? This contract should meet the requirements set out in data protection regulations.
1.4.3 If your organisation destroys any records or equipment that hold personal data, how
does it make sure that this is done securely?
2. Staff responsibilities
2.1.1 Does your organisation have an induction process that covers data security and
protection, and cyber security?
3.1.1 Has a training needs analysis covering data security and protection, and cyber
security, been completed in the last 12 months?
3.2.1 Have at least 95% of staff, directors, trustees and volunteers in your organisation
completed training on data security and protection, and cyber security, in the last 12
3.4.1 Have the people with responsibility for data security and protection received
training suitable for their role?
4. Managing data access
4.1.1 Does your organisation have an up to date record of staff, and volunteers if you
have them, and their roles?
4.2.4 Does your organisation have a reliable way of removing or amending people’s
access to IT systems when they leave or change roles?
4.5.4 How does your organisation make sure that staff, directors, trustees and volunteers
use good password practice?
5. Process reviews
5.1.1 If your organisation has had a data breach or a near miss in the last year, has the
organisation reviewed the process that may have allowed the breach to occur?
6. Responding to incidents
6.1.1 Does your organisation have a system in place to report data breaches?
6.1.2 If your organisation has had a data breach, were the management team notified,
and did they approve the actions planned to minimise the risk of a recurrence?
6.1.3 If your organisation has had a data breach, were all individuals who were affected
6.2.1 Do all the computers and other devices used across your organisation have
antivirus/antimalware software which is kept up to date?
6.3.2 Have staff, directors, trustees and volunteers been advised that use of public Wi-Fi
for work purposes is unsafe?
7. Continuity planning
7.1.2 Does your organisation have a business continuity plan that covers data and cyber
7.2.1 How does your organisation test the data and cyber security aspects of its business
7.3.1 How does your organisation make sure that there are working backups of all
important data and information?
7.3.2 All emergency contacts are kept securely, in hardcopy and are up-to-date
7.3.4 Are backups routinely tested to make sure that data and information can be
8. Unsupported systems
8.1.4 Are all the IT systems and the software used in your organisation still supported by
the manufacturer or the risks are understood and managed?
8.2.1 If your answer to 8.1.4 was that software risks are being managed, please provide a document that summarises the risk of continuing to use each unsupported item, the reasons for doing so and a summary of the action your organisation is taking to minimise the risk.
8.3.5 How does your organisation make sure that the latest software updates are
downloaded and installed?
9. IT protection
9.1.1 Does your organisation make sure that the passwords of all networking
components, such as a Wi-Fi router, have been changed from their original passwords?
9.5.2 Are all laptops and tablets or removable devices that hold or allow access to
personal data, encrypted?
10. Accountable suppliers
10.1.2 Does your organisation have a list of its suppliers that handle personal
information, the products and services they deliver, and their contact details?
10.2.1 Do your organisation’s IT system suppliers have cyber security certification?
What are the main DSPT evidence assertions?
1.1 The organisation has a framework in place to support Lawfulness, Fairness and Transparency
1.2 Individuals’ rights are respected and supported
1.3 Accountability and Governance in place for data protection and data security
1.4 Records are maintained appropriately
2.1 Staff are supported in understanding their obligations under the National Data Guardian’s Data Security Standards
3.1 There has been an assessment of data security and protection training needs across the organisation
3.2 Staff pass the data security and protection mandatory test
3.3 Staff with specialist roles receive data security and protection training suitable to their role
3.4 Leaders and board members receive suitable data protection and security training
4.1 The organisation maintains a current record of staff and their roles
4.2 The organisation assures good management and maintenance of identity and access control for it's networks and information systems
4.3 All staff understand that their activities on IT systems will be monitored and recorded for security purposes
4.4 You closely manage privileged user access to networks and information systems supporting the essential service
4.5 You ensure your passwords are suitable for the information you are protecting
5.1 Process reviews are held at least once per year where data security is put at risk and following data security incidents
5.2 Participation in reviews is comprehensive, and clinicians are actively involved
5.3 Action is taken to address problem processes as a result of feedback at meetings or in year
6.1 A confidential system for reporting data security and protection breaches and near misses is in place and actively used
6.2 All user devices are subject to anti-virus protections while email services benefit from spam filtering and protection deployed at the corporate gateway
6.3 Known vulnerabilities are acted on based on advice from NHS Digital, and lessons are learned from previous incidents and near misses
7.1 Organisations have a defined, planned and communicated response to Data security incidents that impact sensitive information or key operational services
7.2 There is an effective test of the continuity plan and disaster recovery plan for data security incidents
7.3 You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions
8.1 All software and hardware has been surveyed to understand if it is supported and up to date
8.2 Unsupported software and hardware is categorised and documented, and data security risks are identified and managed
8.3 Unsupported software and hardware is categorised and documented, and data security risks are identified and managed
8.4 You manage known vulnerabilities in your network and information systems to prevent disruption of the essential service
9.1 All networking components have had their default passwords changed
9.2 A penetration test has been scoped and undertaken
9.3 Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities
9.4 You have demonstrable confidence in the effectiveness of the security of your technology, people, and processes relevant to essential services
9.5 You securely configure the network and information systems that support the delivery of essential services
9.6 The organisation is protected by a well-managed firewall
10.1 The organisation can name its suppliers, the products and services they deliver and the contract durations
10.2 Basic due diligence has been undertaken against each supplier that handles personal information
10.3 All disputes between the organisation and its suppliers have been recorded and any risks posed to data security have been documented
10.4 All instances where organisations cannot comply with the NDG Standards because of supplier-related issues are recorded and discussed at board
10.5 The organisation understands and manages security risks to networks and information systems from your supply chain.