NHS Data Security and Protection Toolkit Standard

    Standards and Frameworks

    NHS Data Security and Protection Toolkit Standard

    The Data Security and Protection (‘DSP’) Toolkit Standard is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care (‘DHSC’), notably the 10 data security standards set out by the National Data Guardian in the 2016 Review of data security, consent and opt-outs.

    Last Updated: July 24, 2019

  • General

    The DSP Toolkit Standard is an NHS standard. All organisations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. Such organisations are required to carry out self-assessments of their compliance against the assertions and evidence contained within the DSP Toolkit.

    While some elements are mandatory, the DSP Toolkit also provides a mechanism for organisations to continually monitor their own performance and so be able to evidence improvement over time against recommended elements.

    2019 Update

    The DSP Toolkit standard is reviewed annually. In June 2019, the DSP Toolkit standard was updated in order to:

    • respond to lessons learned and direct feedback from users following the first year of the DSP Toolkit;
    • improve the targeting of requirements to different categories of organisations;
    • rationalise some of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) evidence items which are now considered ‘business as usual’;
    • incorporate the requirements of Cyber Essentials and the Minimum Cyber Security Standard (‘MCSS’) for relevant larger NHS organisations; and
    • incorporate key elements of the Network and Information Systems (‘NIS’) Regulations 2018 Cyber Assessment Framework (‘CAF’) for relevant larger NHS organisations as advised by the National Cyber Security Centre.
  • Scope and application

    DSP Toolkit assessments must be completed and published by all organisations which:

    • have access to NHS patients and/or to their information;
    • provide support services directly to an NHS organisation; and
    • have either direct or indirect access to national informatics services.

    This includes social care providers that provide care through the NHS Standard Contract. In addition, completion of the DSP Toolkit is obligatory for any party seeking approval for access to NHS patient information from either the Confidentiality Advisory Group or NHS Digital.

    These include, but are not limited to:

    • NHS organisations (acute trusts, ambulance trusts, mental health trusts, clinical commissioning groups) including foundation trusts and NHS community health providers;
    • NHS England;
    • NHS Digital;
    • Local Authority Adult Social Care;
    • Local Authority Public Health;
    • Public Health England;
    • Primary Care providers (community pharmacies / dispensing appliance contractors, dental practices, eye care services, general practices);
    • DHSC arms’ length bodies that closely support care services (i.e. executive agencies such as the Medicines and Healthcare products Regulatory Agency; special health authorities such as the NHS Business Services Authority);
    • Bodies commissioned or otherwise contracted to provide services by any of the above.

    In addition to the NHS mandate above, other organisations are required to provide Data Security and Protection assurances via the DSP Toolkit as part of business/service support processes or contractual terms. That is, for these organisations annual DSP Toolkit assessments are required for either or both of two purposes:

    • To provide Data Security and Protection assurances to the Department of Health and Social Care or to NHS commissioners of services;
    • To provide Data Security and Protection assurances to NHS Digital before receiving research data or as part of the terms and conditions of using national systems and services including the e-Referral Service and NHSmail.
  • Requirements

    The DSP Toolkit standard requirements spreadsheet sets out the evidence items which are applicable to different categories of organisation. Further detail is provided below: 

    Sector Category
    Acute Category 1
    Ambulance Trust Category 1
    Community Services Provider Category 1
    Mental Health Trust Category 1
    Arms Length Body Category 2
    CCG Category 2
    CSU Category 2
    NHS Digital Category 2
    AQP Clinical Services Category 3
    AQP Non-Clinical Services Category 3
    Care Home Category 3
    Charity / Hospice Category 3
    Company Category 3
    Dentist (NHS) Category 3
    Dentist (Private) Category 3
    Domiciliary Care Organisation Category 3
    Local Authority Category 3
    NHS Business Partner Category 3
    Optician Category 3
    Pharmacy Category 3
    Prison Category 3
    Researcher / Department Category 3
    Secondary Use Organisation Category 3
    University Category 3
    GP Category 4


    The assertions and evidence items included include determination of both the internal and external issues that might affect security and privacy issues, and creating policies and procedures to match.

    Key topics include:

    • Senior ownership of data security and protection within the organisation;
    • Clear data security and protection policies in place and available to the public;
    • Individuals’ rights;
    • Maintenance of records of processing activities;
    • Data Protection by Design and Default;
    • Data Protection Impact Assessments;
    • Data quality controls and process reviews;
    • Implementation of a confidential system for reporting data security and protection breaches as well as a defined, planned and communicated response to data security incidents that impact sensitive information or key operational services;
    • Continuity and disaster recovery plans; and
    • Due diligence against each supplier that handles personal information in accordance with ICO and NHS Digital guidance.
  • Timescales

    First-time assessments

    Organisations carrying out their first assessment should complete this in line with the contract of services they are party to, or as required by the tendering process they are involved in.

    Where a first assessment is being carried out as part of an application for national systems and services, the organisation should complete this as soon as they are able as access will not be granted until an assessment has been published and reviewed by NHS Digital.

    Similarly, for Research Teams or National Registers required to complete a DSP Toolkit assessment in support of an application to access patient information held on national systems, held by NHS Digital or required for processing without consent (for both research and non-research purposes). The DSP Toolkit assessment should be completed within given timelines determined by the approval processes concerned.

    Additional assessments

    A second or subsequent assessment can be started at any time but in all cases the final publication must be made online by 31 March each year.

    Category 1 and 2 organisations

    Category 1 and 2 NHS organisations are also required to complete an interim assessment during the year – the deadline for the interim submission will be 31 October each year. This will be publicised by writing to all the organisations covered by the scope of the interim assessments and by communication through the Strategic Information Governance Network, the network of IG leads in large health and care organisations.

    The work necessary to make improvements or to maintain compliance should be an on-going process and not left till the year end.

    Organisations registered with the CQC will have data security included in their Well-Led inspection with their DSP Toolkit considered as key evidence.

  • Incident and Breach

    The DSP Toolkit standards requires all organisations to ensure that robust breach detection, investigation and internal reporting procedures are in place to facilitate decision-making about whether or not an organisation need notify the relevant supervisory authority and the affected individuals.

    It is a legal obligation to notify personal data breaches of the GDPR under Article 33 within 72 hours, to the ICO, unless it is unlikely to result in a risk to the rights and freedoms of individuals. Article 34 of the GDPR also makes it a legal obligation to communicate the breach to those affected without undue delay when it is likely to result in a high risk to individuals rights and freedoms. It is also a contractual requirement of the standard NHS contract to notify incidents in accordance with this guidance. By notification this may be an initial summary with very little detail known at the outset but a fuller report that might follow. There is no expectation that a full investigation will be carried out within 72 hours. The ICO has asked all relevant health and social care organisations to use this reporting tool accessed via the DSP Toolkit in preference to the ICO provided reporting mechanism so that sector intelligence gathering and local solutions to groups of incidents can be implemented.

    In addition, the NIS Regulations seek to ensure that essential services, including healthcare, have adequate data and cyber security measures in place to deal with the increasing volume of cyber threats. They require ‘operators of essential services’ to report any network and information systems incident which has a ‘significant impact’ on the continuity of the essential service that they provide to the relevant ‘competent authority’.

    Data breaches that originated before 25 May 2018 and subsequently have come to light after this date must be reported on the Data Security and Protection Incident Reporting Tool. If an organisation is unsure, then they are advised to use this tool and the regulatory authority will make a determination as to which legal framework applies i.e. Data protection Act 2018 or the GDPR. Previously reported incidents will still be available in a read-only format for at least 7 years after 25 May 2018 for purposes of legal compliance. NIS reportable incidents must be reported from 10 May 2018.

    You can find further information regarding incident reporting here.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.