Simplifying the Data Security and Protection Toolkit assessment

GP practices know they are expected to put in place measures to meet data security standards, so sensitive information is protected and they are prepared for a cyber attack or any other event that can disrupt health services.

However, fewer practices may be aware that, as part of that, they are required to participate in the Data Security and Protection Toolkit (DSPT) self-assessment. This online tool measures aa practice’s performance against the 10 data security standards recommended by the National Data Guardian, which works with the Department of Health and Social Care to ensure people’s personal information is handled appropriately and correctly.

All organisations that have access to NHS patient data and systems have to complete the DSPT to provide assurance that they are practising good data security.

Submission of the DSPT is due by 30 June 2022 and there are 10 standards to complete.

Here, are some tips to help you complete it as efficiently as possible:

1. Share the workload

After signing in using an NHS Digital login via the DSPT portal, there will be a dashboard and report available. Here, you can add multiple users and then assign specific modules for each person to complete. This is a severely underutilised feature – if you are a big practice it makes sense to divide the workload among your deputy manager, department heads or lead IT person.

2. Remember there’s key information already in your existing policies

There are 10 different areas to focus on covering: personal confidential data, staff responsibilities, training, managing data access, process reviews, responding to incidents, continuity planning, unsupported systems, IT protection and accountable suppliers.

There are a total of 42 questions and 24 assertions to declare, 19 of which are mandatory.

There are five questions that requiring uploaded evidence to support them:

1. GDPR policy
2. Privacy Notice
3. Publicly available policies
4. Results of awareness study for staff (here, you could use survey monkey/kahoot)
5. Register of networked medical devices

Where possible, use your main practice Information Governance/GDPR policies, Data Protection Impact Assessment and Privacy Notices as evidence.

These policies will need updating over time. It may be useful to schedule this work in every quarter (i.e. on a regular basis) , so you don’t have too much work to do all at once if each policy has the same review date.

Your colleagues in your PCN or CCG will have templates you may find useful – they may even allow you to use their policies. Don’t reinvent the wheel!

3. Ask for help from the experts around you

Below are a few tricky questions/statements on the DSPT I think most GPs or practice managers would struggle to answer or confirm:

1.         Name the top three data and cyber security risks in the organisation.

2.         Have all the administrators of your organisation’s IT system(s) signed an agreement to hold them accountable to higher standards?

3.         The person with responsibility for IT confirms that IT administrator activities are logged and those logs are only accessible to appropriate personnel.

4.         IT Support staff typically have high level access to systems. The activities of these users should be logged and only available to appropriate personnel.

5.         How does your organisation make sure that there are working backups of all important data and information?

6.         How do your systems receive updates and how often?

7.         Have all networking components have had their default passwords changed?

8.         Has a penetration test been scoped and undertaken?

9.         Are all laptops and tablets or removable devices that hold or allow access to personal data encrypted?

10.       Do your organisation’s IT system suppliers have cyber security certification?

Most of the answers to the above can be obtained by contacting your local IT provider or support desk. It might also be worth asking your CCG/ICS, federation or PCN if they have involvement in IT procurement and delivery. Since all practices have to complete this toolkit, these organisations might have something already set up to help practices in your area.

Remember, ask for help from IT support, Commissioning Support Units, your CCG, data protection officers, external providers and your PCN or local federation.

Key links

Data Security and Protection Toolkit guidance and requirements – https://www.dsptoolkit.nhs.uk/News/2021-2022-standard

ICO – https://ico.org.uk/

DSPT login – https://www.dsptoolkit.nhs.uk/Account/Login

Ryan Smith is a non-clinical partner and strategic manager at Kenilworth and Warwick PCN