1. Overview and user guide

1. Introduction
This page provides an overview of the Data Security and Protection Toolkit and its core functionality.  We aim for the Data Security and Protection Toolkit to be usable without reference to detailed guidance.  The .pdf user guides provided on this page are historic and depreciated.  These are provided for reference for financial year end 19-20 only.

If you need further support please contact the helpdesk or join a webinar.   Once logged in, you can use the feedback form to give us feedback and suggestions.

 
 
2. What is the Data Security and Protection Toolkit?
The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
 
All organisations that have access to NHS patient data and systems must use the DSPT to provide assurance that they are practising good data security and that personal information is handled correctly.
 
The DSPT is an annual assessment. As data security standards evolve, the requirements of the Toolkit are reviewed and updated to ensure they are aligned with current best practice. Organisations with access to NHS patient data must therefore review and submit their DSPT assessment in each financial year before the 31st March deadline.
 
The DSPT also provides organisations with a means of reporting security incidents and data breaches.

 
 
3. Why complete a DSPT assessment?
All organisations that have access to NHS patient information must provide assurances that they have the proper measures in place to ensure that this information is kept safe and secure. Completion of the DSPT is therefore a contractual requirement specified in the NHS England standard conditions contract and it remains Department of Health and Social Care policy that all bodies that process NHS patient information for whatever purpose provide assurances via the DSPT.
 
Completion of the DSPT is also necessary for organisations which use national systems such as NHSmail and the e-referral service.

 
 
4. Registration
To register to complete the DSPT you need an email address and your organisation’s ODS code. You can look up your ODS code by searching for your organisation on the ODS portal. If you do not have a valid organisation code or cannot find your organisation on the portal, you should log a query with the ODS team via the Exeter Helpdesk.
 
If you attempt to register and receive a message stating that your organisation already has an administrator, then you will have to contact this person directly as they will be responsible for adding new users for your organisation. If you do not know the identity of your organisation’s administrator, then please contact the Exeter Helpdesk.
 

 
5. First steps (organisation profile)
When you register and log in for the very first time, you will be asked to choose the most appropriate sector for your organisation, to provide details of key roles and whether you have any relevant certifications.  This is called the “organisation profile”.  The answers you give here – will tailor the questions you need to respond to in your assessment (see below).  You can change your answers later – and will be prompted to check this information when you publish an assessment.

 
 
6. The requirements
The requirements for the DSPT are tailored to your organisation type. Organisations such as NHS Trusts and Clinical Commissioning Groups will have to complete a more extensive assessment than a smaller organisation such as a dentist or an optician.
Guidance on selecting the correct organisation type for your organisation can be found on our help pages.
 
Information regarding the Toolkit Standard and a full list of the requirements for all organisation types for 2019-20 are provided on the DSPT news pages.

 
 
7. Completing an assessment
Following successful registration on the DSPT you should aim to complete a ‘standards met’ assessment. To complete a ‘standards met’ assessment you must respond to all the questions which are indicated as being mandatory. The questions you must complete are determined by your organisation type.
 
Some organisation types will be able to complete an ‘entry level’ assessment. This is a slimmed down version of the Toolkit containing only the most critical requirements. Further information on completing an entry level assessment is detailed in the entry level section below. 
 
The DSPT is organised under the 10 data security standards. Under each standard there are a number of “assertions” which you will need to work through.  To complete each assertion, you are required to provide evidence items which demonstrate compliance with the assertion.  To achieve ‘standards met’, you must complete all mandatory evidence items.
 
Once all the mandatory evidence items have been completed and assertions confirmed you will be able to publish your DSPT. You can republish your assessment at any time if you need to make any changes to information you have provided.  You must however ensure that your organisation has published an assessment by 31st March every year.
 
Step by step guidance on completing the DSPT for social care organisations is also available.  This guidance may be of interest to any smaller organisation.  Please see section 12, below.

 

8. Visibility of assessments

Once you have published your assessment, you will receive a confirmation email.  Your completed status can also be confirmed by using the Organisation Search function on the Toolkit – the content of which is updated every 10 minutes.
 
This displays your organisation’s toolkit status. No information on the content of your toolkit is available publicly.

 
 
9. Adding more users
Administrators can add additional users from the ‘user list’ page.  This page is available to administrators only via the ‘Admin’ drop-down menu.  This page includes a description of the permissions / roles which are available.  If you require access – please speak to your local administrator.

 
 
10. Entry level assessments
Certain organisation types are eligible to complete an ‘entry level’ version of the assessment. Whilst this is not the same as meeting the full DSPT standard, it does offer assurance that critical data security measures have been implemented. In addition to this, completing and publishing an ‘entry level’ DSPT assessment supports access to NHS mail (see below).
 
A list of the organisation types eligible to publish an ‘entry level’ assessment and a complete list of the evidence items you are required to complete can be found on the DSPT help pages.

 
 
11. Completing the Data Security and Protection Toolkit to get NHS Mail
Completion of the DSPT, either at ‘entry level’ or ‘standards met’ level, is one of the prerequisites for access to NHS Mail.
 
If your organisation is interested in adopting NHSmail – please visit the NHSmail support pages.  A dedicated NHSmail helpdesk is also available.

 

12. Support to Social Care organisations
In order to support Social care organisations that are new to the DSPT, specific social care guidance is available including responses to questions which are frequently asked by care providers.

 
 
13. Headquarters (HQ) assessments (organisations with multiple sites / branches)
If your organisation is made up of multiple sites or branches, which all follow the same policies and exist as a single legal entity, then you may choose to publish a single assessment at HQ level.  This assessment can then be applied to all the sites listed under the HQ.  The process for publishing an HQ assessment depends on your organisation type as follows:

 
 
13.1 HQ assessments for Social Care, Pharmacy or Optician organisations
You should complete the DSPT under the ODS code for your HQ or Head Office organisation.
 
When you come to publish your assessment, the Toolkit will display the list of sites related to the HQ, allowing you to select the sites you want to include in the submission. You can check your list of sites before you publish.  The list of related sites is taken from ODS data - if this is list is incorrect, please contact the Exeter Helpdesk at the earliest opportunity.
 
You may wish to publish for selected sites initially and then publish a further assessment later (including additional sites, when the list is corrected).
 
Detailed guidance on registering and publishing assessments for social care organisations (including those with complex legal structures) is also available. This guidance may also be helpful for other types of organisations.

 
 
13.2 HQ assessment for other sectors
Other sectors with a HQ / site structure should firstly, publish a DSPT assessment then, please log a call with the Exeter Helpdesk. In this request, please provide the list of ODS codes for your sites (in either table or spreadsheet format) and confirm that all sites follow the same processes as the organisation which has published.
 
The helpdesk will then apply the published assessment to the list of sites you have provided.

 
 
14. Providing evidence for multiple separate organisations
For users who complete a separate toolkit for multiple organisations, there is a function which allows you to see how each organisation you support has responded to specific evidence items.  It also allows you to provide a new response to text, date and checkbox questions in bulk for multiple separate organisations in one go.
 
When you log in – you will see an option to ‘Provide evidence for multiple organisations in one go’.
 
For evidence items that require a document response, it is only possible to REVIEW responses in bulk.  Expansion of this functionality will be kept under consideration as we monitor usage of the new tool.

 
 
15. Incident reporting
It is the duty of all health and care organisations that process personal data to report any data breaches to the Information Commissioner’s Office via the DSPT within 72 of discovering an incident.  See further guidance on Incident Reporting.

 
 
16. Completing the toolkit using the incorrect ODS code
Where an organisation has completed their toolkit under the wrong ODS code their assessment can be transferred to the correct code. In this instance please contact the helpdesk.

 

17. Further help
If you require any further help, please see our responses to frequently asked questions