Data Security Protection (DSP) Compliance

Learn about DSP Toolkit compliance, including what it is, who needs to complete an assessment, and more

Fully functional for 30 days

Improve Security Posture

DSP Reporting

Improve security posture

SolarWinds^® Security Event Manager (SEM) is built to help organizations improve their security posture, monitor their environments, and more easily demonstrate compliance through collecting, normalizing, and correlating log data, so you can ensure environments are fully monitored. SEM is also designed to automatically respond to threats in real time and alert your organization of suspicious activities, which can help raise awareness of security threats and help you comply with National Data Guardian’s Data Security Standards.

Download Free Trial Email Link To Trial

Fully functional for 30 days

Learn More

DSP Toolkit compliance reporting

SolarWinds SEM is designed to simplify compliance reporting with hundreds of built-in compliance report templates, helping you save valuable time. With the ability to generate custom reports for specific periods and audiences, SEM is a powerful reporting and compliance management tool.

Using SEM, you can export reports in several standard formats and can even include graphical summaries. This helps enable your organization to improve processes to deliver reports each year, as laid out in the Data Security Protection (DSP) Toolkit requirements. Through compliance reports, you can more easily demonstrate you have the recommended data security measures in place.

As a lightweight, user-friendly compliance monitoring tool, your organization can watch for policy violations and streamline IT compliance reporting with SolarWinds SEM.

Download Free Trial Email Link To Trial

Fully functional for 30 days

Learn More

Get More on DSP Compliance

Do you find yourself asking…

What is Data Security and Protection (DSP) Toolkit compliance?
Who needs to complete a DSPT assessment?
What is the deadline for completing the DSP Toolkit?
DSP Toolkit requirements
How to comply with DSPT

In 2018, the Data Security and Protection Toolkit, or the DSP Toolkit, replaced the Information Governance Toolkit, also known as the IG Toolkit. Using the DSP Toolkit, U.K.-based organizations can compare their practices to the 10 data security standards set forth by the National Data Guardian, an appointed individual responsible for advising healthcare organizations how to secure and use National Health Service (NHS) patients’ confidential information.

Technology and data security best practices are constantly evolving. Consequently, DSP Toolkit requirements are frequently reviewed and updated to ensure they reflect current data security standards.

Each year, every organization with access to NHS patient data and NHS systems must use this online self-assessment tool and review and submit their DSP Toolkit assessment before the deadline. By submitting a DSP Toolkit assessment, organizations can demonstrate that they have handled personal data appropriately and engaged in strong data security practices over the past year.

Each year, organizations with access to NHS patient data and systems must complete a DSP Toolkit assessment to prove they have met the Data Security Standards.

Data Security Standards NHS organizations are responsible for include the following:

Ensure all staff handle, store, and transmit personal, confidential data securely. Staff should only share confidential information in situations where it’s both legal and appropriate. To encourage their staff members to carefully make sensible judgments regarding the handling, storage, and transmission of confidential data, organizations should inform their staff of the legislation and the consequences of mishandling data.

Inform staff members of their responsibilities. Organizations are responsible for helping their staff understand their obligations under the Data Security Standards. In addition to understanding how to handle personal data responsibly and report any insecure behaviors or procedures, staff members must learn which behaviors are considered deliberate, negligent, or complacent. Organizations should also inform staff that their IT systems usage will be logged, and they will be held accountable for deliberate and avoidable breaches, which can affect their employment.

Train staff each year. Every year, staff members must complete security training. Training involves reviewing several relevant case studies and passing a test.

Only provide staff access to personal confidential data when necessary. Staff members should only have access to the data they need in their current role. To ensure people don’t accumulate system access rights over time, organizations should monitor and manage user privileges and remove access to data when users no longer need it.

Review, identify, and improve processes at least once a year. Organizations should improve any processes that have resulted in previous breaches and near misses. They should also improve any procedures that may compromise data security by requiring staff to use potentially risky workarounds. Organizations can record security breaches and near misses to find and refine problematic processes.

Identify and resist cyberattacks and respond to the NHS Digital Data Security Centre’s advice. Within 12 hours after detecting a data breach or a near miss, organizations must report it to senior management.

Have a continuity plan to respond to data security threats. Organizations should also test their continuity plan at least once a year and send a report to senior management, enabling them to make informed decisions in the future.

Don’t use any unsupported operating systems, software, or internet browsers within the IT estate. Unfortunately, it’s impossible to upgrade every unsupported system, and it’s important to consider finances. Risk owners can consult the NHS Digital Data Security Centre for guidance on prioritizing vulnerabilities and understanding the risks that may come from unsupported systems, software, or internet browsers.

Have an effective strategy for protecting IT systems from cybersecurity threats. This strategy should be reviewed annually and derived from proven cybersecurity frameworks. Risk owners can consult the NHS Digital Data Security Centre to understand which national frameworks and components might be best for their organization.

Hold IT suppliers accountable for meeting the Data Security Standards and protect the confidential data they’re responsible for processing. Organizations should create contracts to ensure their IT suppliers meet the Data Security Standards and can protect any confidential information they process. An IT supplier’s software must be compatible with supported operating systems, internet browsers, and plug-ins.

In 2018, the Data Security and Protection Toolkit, or the DSP Toolkit, replaced the Information Governance Toolkit, also known as the IG Toolkit. Using the DSP Toolkit, U.K.-based organizations can compare their practices to the 10 data security standards set forth by the National Data Guardian, an appointed individual responsible for advising healthcare organizations how to secure and use National Health Service (NHS) patients’ confidential information.

Technology and data security best practices are constantly evolving. Consequently, DSP Toolkit requirements are frequently reviewed and updated to ensure they reflect current data security standards.

Each year, every organization with access to NHS patient data and NHS systems must use this online self-assessment tool and review and submit their DSP Toolkit assessment before the deadline. By submitting a DSP Toolkit assessment, organizations can demonstrate that they have handled personal data appropriately and engaged in strong data security practices over the past year.
Any organization with access to NHS patient data or NHS systems will need to complete a DSPT assessment. This includes:
NHS Providers: Any organization that offers services under the NHS Standard Contract is required to complete a DSPT assessment.
Clinical Commissioning Groups: These discrete NHS groups organize their own corporate IT services and are responsible for completing the DSP Toolkit. When Clinical Commissioning Groups commission GP IT services, they must contractually obligate their GP IT providers to comply with the NHS’ data security and protection requirements.
Some General Practices: Any general practices that offer individuals on a registered list primary care essential services under certain contracts must comply with the DSP Toolkit. This includes general practices contracted under Personal Medical Services (PMS) contracts, General Medical Services (GMS) contracts, and Alternative Provider Medical Services (APMS) contracts.
Some Local Authorities: Local authorities that offer adult social care or public health services, receive NHS Digital services or data, or process confidential data are expected to complete a DSPT assessment.
Some Social Care Providers: While the NHS suggests all social care providers complete a DSPT assessment, only those under an NHS standard contract are required to comply with the DSP Toolkit.
DSPT requirements vary by organization type. For example, the assessment NHS Trusts and Clinical Commissioning Groups must complete is more extensive than the assessment an optician must complete.
Each year, organizations with access to NHS patient data and systems must complete a DSP Toolkit assessment to prove they have met the Data Security Standards.

Data Security Standards NHS organizations are responsible for include the following:

Ensure all staff handle, store, and transmit personal, confidential data securely. Staff should only share confidential information in situations where it’s both legal and appropriate. To encourage their staff members to carefully make sensible judgments regarding the handling, storage, and transmission of confidential data, organizations should inform their staff of the legislation and the consequences of mishandling data.
Inform staff members of their responsibilities. Organizations are responsible for helping their staff understand their obligations under the Data Security Standards. In addition to understanding how to handle personal data responsibly and report any insecure behaviors or procedures, staff members must learn which behaviors are considered deliberate, negligent, or complacent. Organizations should also inform staff that their IT systems usage will be logged, and they will be held accountable for deliberate and avoidable breaches, which can affect their employment.
Train staff each year. Every year, staff members must complete security training. Training involves reviewing several relevant case studies and passing a test.
Only provide staff access to personal confidential data when necessary. Staff members should only have access to the data they need in their current role. To ensure people don’t accumulate system access rights over time, organizations should monitor and manage user privileges and remove access to data when users no longer need it.
Review, identify, and improve processes at least once a year. Organizations should improve any processes that have resulted in previous breaches and near misses. They should also improve any procedures that may compromise data security by requiring staff to use potentially risky workarounds. Organizations can record security breaches and near misses to find and refine problematic processes.
Identify and resist cyberattacks and respond to the NHS Digital Data Security Centre’s advice. Within 12 hours after detecting a data breach or a near miss, organizations must report it to senior management.
Have a continuity plan to respond to data security threats. Organizations should also test their continuity plan at least once a year and send a report to senior management, enabling them to make informed decisions in the future.
Don’t use any unsupported operating systems, software, or internet browsers within the IT estate. Unfortunately, it’s impossible to upgrade every unsupported system, and it’s important to consider finances. Risk owners can consult the NHS Digital Data Security Centre for guidance on prioritizing vulnerabilities and understanding the risks that may come from unsupported systems, software, or internet browsers.
Have an effective strategy for protecting IT systems from cybersecurity threats. This strategy should be reviewed annually and derived from proven cybersecurity frameworks. Risk owners can consult the NHS Digital Data Security Centre to understand which national frameworks and components might be best for their organization.
Hold IT suppliers accountable for meeting the Data Security Standards and protect the confidential data they’re responsible for processing. Organizations should create contracts to ensure their IT suppliers meet the Data Security Standards and can protect any confidential information they process. An IT supplier’s software must be compatible with supported operating systems, internet browsers, and plug-ins.

DSP compliance solution

Security Event Manager

Collecting logs from different sources can feel like herding cats without the right tool.
Cutting through the noise to quickly get to the logs you need doesn’t have to be difficult.
Identifying suspicious behavior faster, with less manual effort and less security expertise, is possible.

Starts at:

SCM, an Orion module, is built on the SolarWinds Platform

Download Free Trial Email Link to Trial

Fully functional for 30 days

Learn More

Let's talk it over.

Contact our team. Anytime.

Learn More About Our Popular Products

Automated User Provisioning IP Address Scanner Database Performance Monitoring NTFS Permissions Report Tool Network Troubleshooting Service Desk Active Directory Auditing Tool Server Monitoring Software IT Help Desk Network Audit Virtualization Manager IT Asset Management

Explore More Resources

View All Resources