What Is The NHS Data Security & Protection Toolkit?

The NHS Data Security & Protection Toolkit is an NHS-operated tool that allows organisations handling sensitive patient data to self-assess themselves against the 10 Data Security Standards issued by the National Data Guardian. The toolkit also requires organisations to declare their compliance and offer a transparent public statement to this effect.

It is imperative that all organisations handling sensitive patient information use the Data Security & Protection Toolkit to thoroughly assess their data security efforts & ensure effective data protection measurements are in place.

How We Can Help

We can assist you with the requirements of the DSP toolkit and we’ll help ensure that your organisation is structured how it needs to be for the assessment.

We offer the following services:

  • Audit Service
  • Submission Service
  • Security Testing Service

Who Should Complete It

The NHS Data Security & Protection Toolkit serves as an annual requirement for organisations wishing to access (or continue to access) sensitive NHS data. Whether you’re working directly under the NHS – or simply serving as a third party supplier to NHS organisations – it’s essential your organisation is fully-compliant with the Data Security & Protection Toolkit.

Larger trusts or hospital groups may also be required to complete the toolkit bi-annually to ensure ongoing compliance.

Organisations that are required to comply with the NHS Data Security & Protection Toolkit are grouped into the following four categories:

  • Category 1 – NHS trusts
  • Category 2 – Arm’s length bodies, Clinical Commissioning Groups (CCGs) and Commissioning Support Units (CSUs)
  • Category 3 – All other sectors
  • Category 4 – GP practices
Have a chat with us

Sheffield, UK

0800 999 5550

Drop us a message
Get in touch
icon

People

1.

Handling, transmission and storage of confidential data​

All sensitive data is stored, handled & distributed in a secure manner, with personally-identifiable information only being shared for lawful purposes.​

2.

Staff accountability and responsibilities​

The organisation’s faculty understands their duties under the Nation Data Guardian’s Data Security Standards, including the responsible handling of sensitive data and active prevention of data breaches.​

3.

Staff data security training and testing​

All faculty must take part in annual data protection training and pass a compulsory test provided through the revised Information Governance Toolkit.​

Process

4.

Access controls​

Sensitive data is only accessible to members of staff who require access to it, with access being removed as soon as it’s no longer required.​

5.

Annual process reviews​

Data protection processes are reviewed at least once a year to identify – and remediate – any shortcomings in the organisation’s data protection process. Standard procedures are continuously improved year on year in line with evolving cyber security threats and data protection regulation.​

6.

Cyber attack, identification, resistance and response​

Cyber attacks against the organisation’s infrastructure are rapidly identified and deflected, with immediate action taken following an attempted (or successful) data breach. Cyber threats are reported to senior management within twelve hours of detection.​

7.

Continuity and incident response planning​

A suitable continuity plan is established to respond to data protection threats. The plan is tested annually, with a performance report issued to senior management.​

Technology

8.

Unsupported operating systems, applications or browsers​

No unsupported or unsafe infrastructure – including browsers, operating systems and software – are utilised within the organisation’s IT suite.​

9.

Implementation of a suitable strategy or framework to protect IT systems​

A cohesive strategy is in place to protect IT infrastructure from cyber security threats. The strategy must be based upon a proven framework – such as Cyber Essentials – and reviewed annually.​

10.

Contractual accountability for IT suppliers​

IT suppliers are held contractually accountable to protect the sensitive NHS data they handle in adherence to the National Data Guardian’s Data Security Standards.​

When Is The Deadline?

The deadline for completing the DSP toolkit is 31st March, although it can be submitted at any point in the year. (If you are an organisation that is required to complete it twice a year, deadlines will be 31st March and 31st October). It is recommended that you get the DSP toolkit submitted as soon as you have the information ready rather than wait for the deadline to avoid unnecessary rush and potential shortcomings.

Cyber SecurityPenetration TestingData Protection
AboutContactPrivacy Policy

Putting data protection and security at the forefront of your business.

Whether it's technology providers, industry experts, or strategic alliances, our partners play a crucial role in ensuring that we consistently deliver outstanding results.

© Bruce & Butler Ltd -  2024