Data Security Protection (DSP) Compliance

In 2018, the Data Security and Protection Toolkit, or the DSP Toolkit, replaced the Information Governance Toolkit, also known as the IG Toolkit. Using the DSP Toolkit, U.K.-based organizations can compare their practices to the 10 data security standards set forth by the National Data Guardian, an appointed individual responsible for advising healthcare organizations how to secure and use National Health Service (NHS) patients’ confidential information.

Technology and data security best practices are constantly evolving. Consequently, DSP Toolkit requirements are frequently reviewed and updated to ensure they reflect current data security standards.

Each year, every organization with access to NHS patient data and NHS systems must use this online self-assessment tool and review and submit their DSP Toolkit assessment before the deadline. By submitting a DSP Toolkit assessment, organizations can demonstrate that they have handled personal data appropriately and engaged in strong data security practices over the past year.

Any organization with access to NHS patient data or NHS systems will need to complete a DSPT assessment. This includes:

• NHS Providers: Any organization that offers services under the NHS Standard Contract is required to complete a DSPT assessment.
• Clinical Commissioning Groups: These discrete NHS groups organize their own corporate IT services and are responsible for completing the DSP Toolkit. When Clinical Commissioning Groups commission GP IT services, they must contractually obligate their GP IT providers to comply with the NHS’ data security and protection requirements.
• Some General Practices: Any general practices that offer individuals on a registered list primary care essential services under certain contracts must comply with the DSP Toolkit. This includes general practices contracted under Personal Medical Services (PMS) contracts, General Medical Services (GMS) contracts, and Alternative Provider Medical Services (APMS) contracts.
• Some Local Authorities: Local authorities that offer adult social care or public health services, receive NHS Digital services or data, or process confidential data are expected to complete a DSPT assessment.
• Some Social Care Providers: While the NHS suggests all social care providers complete a DSPT assessment, only those under an NHS standard contract are required to comply with the DSP Toolkit.

DSPT requirements vary by organization type. For example, the assessment NHS Trusts and Clinical Commissioning Groups must complete is more extensive than the assessment an optician must complete.

Typically, the deadline for submitting DSP Toolkit assessments falls on March 31. However, a company can submit the assessment well before then to avoid rushing the process as the deadline approaches.

The DSPT deadline has been extended in recent years. In 2020, the COVID-19 outbreak placed strain on healthcare workers and the NHS. As a result, the deadline for completing the Toolkit and publishing a privacy notice was temporarily extended to September 30, 2021. In 2021, the deadline was again pushed back from the typical March date to June 30, 2021. Organizations should check the NHS website for updated information.

In addition, the NHS expects compliance with the national data opt-out. Organizations with access to NHS patient data or NHS systems must have procedures in place to review whether confidential patient information has been used or disclosed according to operational policy guidelines.

Health and care organizations will also need a technical solution to compare lists of NHS numbers to lists of the NHS numbers of individuals who have registered for the national data opt-out. They will also need a process to ensure staff only use and disclose information from those who have not registered for the national data opt-out. Refer to the NHS Digital national data opt-out site for more information.

Each year, organizations with access to NHS patient data and systems must complete a DSP Toolkit assessment to prove they have met the Data Security Standards.

Data Security Standards NHS organizations are responsible for include the following:

• Ensure all staff handle, store, and transmit personal, confidential data securely. Staff should only share confidential information in situations where it’s both legal and appropriate. To encourage their staff members to carefully make sensible judgments regarding the handling, storage, and transmission of confidential data, organizations should inform their staff of the legislation and the consequences of mishandling data.
• Inform staff members of their responsibilities. Organizations are responsible for helping their staff understand their obligations under the Data Security Standards. In addition to understanding how to handle personal data responsibly and report any insecure behaviors or procedures, staff members must learn which behaviors are considered deliberate, negligent, or complacent. Organizations should also inform staff that their IT systems usage will be logged, and they will be held accountable for deliberate and avoidable breaches, which can affect their employment.
• Train staff each year. Every year, staff members must complete security training. Training involves reviewing several relevant case studies and passing a test.
• Only provide staff access to personal confidential data when necessary. Staff members should only have access to the data they need in their current role. To ensure people don’t accumulate system access rights over time, organizations should monitor and manage user privileges and remove access to data when users no longer need it.
• Review, identify, and improve processes at least once a year. Organizations should improve any processes that have resulted in previous breaches and near misses. They should also improve any procedures that may compromise data security by requiring staff to use potentially risky workarounds. Organizations can record security breaches and near misses to find and refine problematic processes.
• Identify and resist cyberattacks and respond to the NHS Digital Data Security Centre’s advice. Within 12 hours after detecting a data breach or a near miss, organizations must report it to senior management.
• Have a continuity plan to respond to data security threats. Organizations should also test their continuity plan at least once a year and send a report to senior management, enabling them to make informed decisions in the future.
• Don’t use any unsupported operating systems, software, or internet browsers within the IT estate. Unfortunately, it’s impossible to upgrade every unsupported system, and it’s important to consider finances. Risk owners can consult the NHS Digital Data Security Centre for guidance on prioritizing vulnerabilities and understanding the risks that may come from unsupported systems, software, or internet browsers.
• Have an effective strategy for protecting IT systems from cybersecurity threats. This strategy should be reviewed annually and derived from proven cybersecurity frameworks. Risk owners can consult the NHS Digital Data Security Centre to understand which national frameworks and components might be best for their organization.
• Hold IT suppliers accountable for meeting the Data Security Standards and protect the confidential data they’re responsible for processing. Organizations should create contracts to ensure their IT suppliers meet the Data Security Standards and can protect any confidential information they process. An IT supplier’s software must be compatible with supported operating systems, internet browsers, and plug-ins.

Any organization with access to NHS patient data and systems must comply with the DSP Toolkit, have strong data security practices, and handle personal data appropriately.

By improving your IT security posture, actively monitoring your entire environment, and restricting access to sensitive data, your organization can better protect itself from unusual events or data falling into the wrong hands.