Data Security and Protection Toolkit (DSPT)

Information Governance

Each year we have to complete the Data Security and Protection Toolkit and submit our evidence to NHS Digital. The Data Security and Protection Toolkit replaces the previous Information Governance toolkit from April 2018 and was updated in June 2019. In our recent submission for 2018/19 we achieved a ‘Standards Met’ DSPT. It meets the requirement for us to be able to access NHS patient data and demonstrates that we are practising good information governance. While this is a self-assessment our Internal Audit colleagues have independently reviewed a sample of our submission and given 'substantial assurance' for the validity of our work.

A little more background information for you

What is the Data Security and Protection Toolkit?

The Data Security and Protection Toolkit is a performance tool produced by the Department of Health (DH) and now hosted by NHS Digital.

The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

What are the information governance requirements?

There are different sets of information governance requirements for different organisational types. However all organisations have to assess themselves against requirements for:

  1. Personal Confidential Data
  2. Staff Responsibilities
  3. Training
  4. Managing Data Access
  5. Process Reviews
  6. Responding to Incidents
  7. Continuity Planning
  8. Unsupported Systems
  9. IT Protection
  10. Accountable Suppliers

What is the purpose of the Data Security and Protection Toolkit?

The purpose of the Data Security and Protection Toolkit is to enable organisations to measure their compliance against the Data Protection legislation and the National Data Guardians Data Security Standards and to see whether information is handled correctly and protected from unauthorised access, loss, damage and destruction.

Where partial or non-compliance is revealed, organisations must take appropriate measures, (eg assign responsibility, put in place policies, procedures, processes and guidance for staff), with the aim of making cultural changes and raising information governance standards through year on year improvements.

The ultimate aim is to demonstrate that the organisation can be trusted to maintain the confidentiality and security of personal information. This in-turn increases public confidence that ‘the NHS’ and its partners can be trusted with personal data.