What is the data security and protection toolkit (DSP toolkit)?

The DSP toolkit (also known as the data security and protection toolkit) is an online self assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards. You can access the toolkit here.

Any organisations with access to NHS patient information, NHS networks, or NHS systems that contain patient information need to comply with the toolkit to ensure they are practising good data security and that personal information is handled correctly.

The DSP toolkit replaced the previous Information Governance toolkit in April 2018.

Who needs to complete the data protection and security toolkit?

The DSP toolkit is an annual requirement for any organisation both within and outside of the NHS if they want to have (or retain) access to NHS patient data. If you are working in the biotech industry, creating medical devices, or you are creating technical or third party solutions that you want to sell to the NHS, or have NHS patient services using, then you need to be compliant with the DSP toolkit. The toolkit will also give you access to NHS.net (NHS email).

Large scale organisations such as big NHS Trusts, multiple hospitals and multiple sites may be required to complete the toolkit twice a year in order to retain compliance.

Organisations that sit within the requirements of the DSP toolkit will fall into one of the following categories:

  • Category 1 – NHS trusts
  • Category 2 – Arm’s length bodies, Clinical Commissioning Groups (CCGs) and Commissioning Support Units (CSUs)
  • Category 3 – All other sectors
  • Category 4 – GP practices

What is the deadline for completing the DSP toolkit?

The deadline for completing the DSP toolkit is 31st March, but it can be submitted at any point in the year. (If you are an organisation that is required to complete it twice a year, deadlines will be 31st March and 31st October). It is recommended that you get the DSP toolkit submitted as soon as you have the information ready rather than wait for the deadline to avoid unnecessary rush and potential shortcomings.

The DSP toolkit process

The DSP toolkit process consists of a self assessment questionnaire of around 116 questions that are broken down into 10 sections. These questions require you to provide detailed information about your organisation regarding the following areas:

  • Infrastructures
  • Privacy management
  • Information management
  • Quality management
  • Training requirement
  • IT protection
  • IT controls

Throughout the DSP toolkit process there are prompts for where you are required to provide evidence documentation. For example:

  • Evidence of oversight and accountability within your organisation
    Who is responsible for looking after data protection and information security, and how is that information disseminated down through your organisation
  • Evidence of training carried out within your organisation
    To ensure that you are maintaining good data security and that personal information is handled effectively
  • Evidence of the technical controls in place within your organisation
    How are you demonstrating that your IT systems and controls are in place to protect the NHS information that you are (or going to be) handling. For example, are you doing vulnerability scanning, pen testing or patch management?

If you have ever done cyber essentials or ISO 27001 you will be in a good place to understand how to complete the DSP toolkit.

Get help with iSTORM®

If you are looking to go and work as a third party with the NHS, or your looking to get involved with NHS digital then you need to start looking at the requirements of the DSP toolkit to make sure that your organisation is structured in the fashion that it needs to be and that you can provide the evidence that is required.

The iSTORM® team of experts have extensive experience in dealing with the toolkit and can help take the pain out of your annual submission with a range of support services, including gap analysis and submission support.

Don’t leave it till the last minute, contact the team on 01789 608708 or email info@istormsolutions.co.uk and start preparing for next years submission.