What Is The NHS Data Security and Protection Toolkit?
Does your organisation have access to NHS patient data? The NHS-required Data Security and Protection Toolkit (DSPT) can be easily supported within Hicomply.
Hicomply is the first software company to develop a bespoke management solution that specifically addresses the requirements, controls and assertions required to meet the DSPT.
What is the NHS DSP Toolkit?
The DSPT is an online self-assessment that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. Any organisation with access to NHS patient data must review and submit an annual DSPT assessment.
The assessment itself is straightforward via an online form. However, in order to address the questions and pass the assessment, a significant amount of preparation, evidence collection and security controls management through the year.
As data security standards evolve, the requirements of the DSPT are reviewed and updated to ensure they are aligned with current best practice. Hicomply is consistently updated as the toolkit requirements change.
The NHS DSPT also provides organisations with a means of reporting security incidents and data breaches. Hicomply’s integrations allow incidents to be tracked as tasks or in ticketing software solutions.
Why does the NHS ask for a DSPT assessment?
All organisations that have access to NHS patient information must provide assurances that they have the proper measures in place to ensure that this information is kept safe and secure.
Completion of the DSPT is therefore a contractual requirement specified in the NHS England Standard Conditions contract, and it remains Department of Health and Social Care policy that all bodies that process NHS patient information for whatever purpose provide assurances via the DSPT.
Completion of the DSPT is also necessary for organisations which use national systems such as NHSmail and the e-referral service.
What are the DSPT requirements?
DSPT requirements are tailored to health organisation type. Organisations such as NHS Trusts and Clinical Commissioning Groups will have to complete a more extensive assessment than a smaller organisation such as a dentist or an optician.
Information regarding the DSPT Standard and a full list of the 2021/22 Requirements for all organisation types are provided in the NHS DSPT resources.
'Standards Met' assessment
Following registration, an organisation should aim to complete a ‘Standards Met’ assessment by responding to all mandatory questions within the assessment. The number of mandatory questions is determined by your organisation type.
The DSPT is organised under the 10 data security standards. Under each standard there are a number of 'assertions' you will need to work through. To complete each assertion, you are required to provide evidence items which demonstrate compliance with the assertion.
Hicomply's solution has been customised to address all the evidence and assertions, including:
DSPT controls matrix
The Hicomply controls matrix has been customised to meet the NHS toolkit standard. All the controls that support DSPT are in Hicomply and linked to the relevant policies and procedures, for intuitive, comprehensive DSPT adherence.
NHS-ready policies and procedures
Our policies and procedure generator creates all mandatory documents in minutes. That's 25 policies, 10 procedures, and 3 records. Everything you need to get through the certification process.
Risk management tool
Use our risk management tool, linked to and integrated with your asset register. Access a whole library of pre-defined risks, linked to the relevant controls. Or create your own - flexibility is built in.
Many evidence items require a document response and our solution generates, store and updates the documentation required to be submitted.
Once all the mandatory evidence items have been completed, and all assertions confirmed, you will be able to publish your assessment. You can make any changes at a later date to information you have provided, you can update and republish your assessment any time throughout the year. You must, however, ensure that your organisation has published at least one assessment by the deadline of 30 June every year.
'Approaching Standards' assessment
Social Care organisations are eligible to complete an ‘Approaching Standards’ assessment, indicating care providers that have demonstrated good progress but have not yet reached 'Standards Met'.
Achieving the 'Standards Exceeded' assessment
If an organisation achieves 'Standards Met' and also has a current Cyber Essentials Plus certification and ISO 27001 recorded in its Organisation Profile, then it's status will be displayed as 'Standards Exceeded'.
Hicomply can also assist in gaining these additional certifications and gaining the ‘standards exceeded’ status.
Headquarters (HQ) assessments
If your organisation is made up of multiple sites or branches, which all follow the same policies and exist as a single legal entity, then you may choose to publish a single assessment at HQ level. This assessment can then be applied to all the sites listed under the HQ.
Providing evidence for multiple separate organisations
In some cases, organisations will need to complete a separate toolkit for multiple organisations. Hicomply’s bespoke set-up can support this more complex evidence-gathering scenario.
Incident reporting
All health and care organisations that process personal data must report any data breaches to the Information Commissioner’s Office (ICO) via the DSPT within 72 hours of discovering an incident. Hicomply can also help with automating this process.
If you want to see how we can save you weeks of time preparing for your DSPT assessment BOOK A DEMO HERE.
Ready to Take Control of Your Privacy Compliance?
Book a demo and experience the difference with Hicomply.