The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that organisations must complete if they are processing health and care data or accessing NHS systems. Successful completion of the assessment provides assurances that highly sensitive personal health and care data is being handled by organisations in line with the minimum standard of current security guidelines. The requirements are based on the National Data Guardian 10 Data Security Standards and organisations are required to undertake this assessment annually.
In this blog, we are going to identify the organisations that are required to undertake the assessment, and then provide an overview of how the DSPT assessment is structured. In doing so we will pull out the most relevant pieces of information that your business needs to be aware of before undertaking the assessment and provide guidance to get started on the road to certification.
Who needs to complete the DSPT self-assessment?
The most important thing to be aware of is that getting DSPT certified is mandatory for any health and care provider, or organisation processing, storing, or transferring health and care data, or wishing to access NHS services. If you answer yes to one or more of the following statements, you are required to undergo the assessment:
- Do you process health and care data, or access NHS systems?
- Do you have access to tertiary systems such as NHSmail or use the NHS e-referral service?
- Are you looking to work with the NHS or within the UK healthcare sector in the future?
Benefits of the DSP Toolkit
Other than being mandatory, the DSP Toolkit brings a number of benefits. Firstly, the toolkit has been developed by the NHS in consultation with health and care organisations and therefore is uniquely adapted to take account of your business’ operating context within the UK healthcare sector.
The standard is not simply about meeting minimum requirements but provides a roadmap for organisations towards continuous improvement of their security posture. Hence the toolkit identifies non-mandatory security items that organisations should consider in order to continue to improve their overall security policies, procedures and controls.
As an organisation, by aligning with security best-practice guidelines you are mitigating the risk of a data breach or information security incident that could lead to significant damages, both financially and to your reputation.
Finally, as with obtaining any recognised security standard, you are demonstrating to your clients, supply chain, staff and other key stakeholders that you take information security seriously, that you are handling data safely and legally, and you are a trusted partner.
When do I need to submit my assessment?
The current period is open for the submission of the 2021/22 version of the DSPT. The full list of requirements can be found here.
The deadline to submit your assessment for this year is 30 June 2022.
How is the DSPT structured?
The DPST is split into 3 levels referred to as “Approaching Standards”, “Standards Met” and “Standards Exceeded” (see figure 1). It is important to note that organisations are only required to achieve “Standards Met” to pass the assessment.
“Approaching Standards” applies to social care organisations that are on their way but haven’t yet met the “Standards Met” requirements. Organisations must evidence 27 mandatory items and present a development plan detailing how they will achieve the remaining mandatory items.
To meet “Standards Met”, organisations must evidence all mandatory evidence items such as having a formalised security policy and implementing training and awareness programmes. Evidence items are grouped under 4 security headings:
- Staffing and Roles
- Policies and Procedures
- Data Security
- IT Systems and Devices
The number of mandatory items you will need to evidence is defined by your organisation’s category. DSPT defines 4 categories with an increasing number of mandatory evidence requirements to reflect the different risk profiles of organisations in different categories. The majority of organisations will likely fall into category 3, but we will discuss this in more detail later in this blog.
Figure 1: DSP Toolkit structure
DSPT has a 3rd level that sits above “Standards Met” named “Standards Exceeded”. Organisations will gain the label “Standards Exceeded” if they hold the Cyber Essentials Plus certification at the time they achieve “Standards Met”.
In summary, all organisations should achieve or be aiming to achieve “Standards Met”. This requires that you evidence a number of items which are determined by the category in which your organisation sits. There are 3 levels of compliance, which are:
- Approaching Standards: for care providers who are approaching but not yet able to meet “Standards Met”. Organisations are required to answer 27 mandatory questions and submit a plan detailing how you will achieve the remaining evidence items.
- Standards Met: Organisations are required to evidence all mandatory items as defined by their category (see figure 2, below) in order to achieve DSPT status “Standards Met”.
- Standards Exceeded: Organisations that achieve “Standards Met” and currently hold a Cyber Essential+ certification are assigned the highest level and will have “Standards Exceeded” displayed as their DSPT status.
Organisations are required to meet, or in the case of “Approaching Standards” evidence that they are on their way to achieving “Standards Met”.
Categorisation of organisations
The DSP Toolkit evidence requirements are linked to the risk profile of your organisation. Central organisations such as an NHS Trusts or Ambulance Trust will be required to complete a more extensive assessment than a GP, dental practice, or opticians, for example. Organisations are split into the 4 categories shown below. Definitions of each organisation type can be found here.
- Category 1: NHS, Ambulance and Mental Health Trusts, and CSPs
- Category 2: Arm’s Length Bodies, CCGs, GSUs, and NHS Digital
- Category 3: All other sectors
- Category 4: GPs
Figure 2: Evidence requirements
Each category will be required to evidence a number of mandatory security practices to achieve the “Standards Met” level. After evidencing all required mandatory items, organisations can submit answers to evidence the non-mandatory items at their discretion. However, this is not required to meet the “Standards Met” classification.
What else do you need to know?
There are a few more things you should be aware of, or already have in place, when undertaking the DSPT assessment.
Your ODS Code (Organisation Data Service Code)
This code is used by the NHS to provide every health and care organisation with a unique code. If you do not know your code, you can locate it using this search tool here. If you do not have a code, you will need to get in contact with the DSP Toolkit help desk to acquire one.
Single vs multi-site organisations
The number of DSPT submissions you are required to make depends on your organisation’s size and how your security governance framework has been structured.
Single site entities (e.g., a single care home) and organisations that have centralised security and data policies and procedures covering all their sites are only required to complete one DSP Toolkit.
Multi-site organisations that do not share the same security and data policies and procedures should complete additional assessments based on the number of distinct segregated operating units you have.
Accountability is a core security concept and a key step to achieve this is to identify a named individual who is ultimately responsible for your information security. In order to pass the assessment, you will need to nominate a Data Protection Officer and identify a single person accountable for your information security. The persons in each of these roles should be adequately qualified and experienced.
Additionally, all NHS organisations and local authorities providing social services must have a Caldicott Guardian who is required to be registered on the publicly available National Register of Caldicott Guardians. Other health and social organisations (e.g., from the independent sector) are encouraged to register a Caldicott Guardian but are not required to.
2021/22: What’s changed?
The DSP Toolkit is a relatively new certification having come into the public domain in 2018 and as such is evolving rapidly as organisations provide feedback. There have been several changes in the 2022 process, which we have detailed below:
- Overlapping evidence items have been rationalised, reducing the overall number of evidence items.
- Evidence items that relate to technical requirements have been updated to reflect the current threat landscape, such as requirements for the management of connected medical devices and plans to phase out or “air-gap” unsupported operating systems.
- Feedback from consultation with stakeholders has been reflected in the evidence request wording and guidance to provide greater clarity.
- The required Cyber Essentials Plus on-site assessment has been made non-mandatory. You are now only required to state that you have achieved this certification within the assessment tool.
Full details of the latest changes and release notes can be found on the DSPT website.
Where should you start?
In this blog we have given you the basic information to understand what the Data Security Protection Toolkit is, how it’s structured, and whether or not it is relevant to your organisation. To summarise, the Toolkit is a mandatory assessment for businesses working, or looking to begin working, with UK health and care data or NHS systems. It defines a minimum standard of security and is therefore not meant to be a difficult standard to achieve for any organisation. Yet, knowing where to start is not necessarily clear, especially for organisations on the first steps towards good information security management.
Your starting point should always be to understand the scope of your organisation including your business context, operating locations, and the coverage of your current information security and IT framework(s). This is the first step to understanding your specific requirements under the DSPT such as your organisational category, mandatory evidence items, and the number of submissions you are required to make.
The next step should be to assess your current security processes and controls against the mandatory evidence items and identify any gaps in your framework. From there you can begin to develop and implement a roadmap to align your organisation with the DSPT and achieve “Standards Met”.
The processes and controls identified in your roadmap should always be developed with good risk management at their heart. Understanding the threat landscape of your organisation and your own risk objectives is fundamental to a mature security posture. First, identify and evaluate your information security risks, then implement controls based on the outcome of these comprehensive risk assessments that mitigate the risks to a tolerable level taking into account your commercial objectives, risk appetite, and budgetary requirements. Build in continuous monitoring and improvement into your security management processes in order to ensure your security strategy remains effective in an evolving threat environment. Finally, it is vital that you communicate that this is not only a “IT” assessment but will require buy-in and action from your entire organisation and senior leadership.
Our team of experienced security professionals have successfully worked with organisations to achieve compliance with the DSP Toolkit. Our consultants can support your organisation through the entire certification process.
This includes an initial assessment of your information security risk management posture, developing a prioritised roadmap to achieve compliance, development and implementation of appropriate policies, procedures, and controls in line with the roadmap and risk management best practice, and finally completing the self-assessment.
If you have questions regarding the DSP Toolkit and certification process, please call us for a no-obligation chat.