1. Overview and introductory guidance

1. Introduction
This page provides an overview of the Data Security and Protection Toolkit and its core functionality.  We aim for the Data Security and Protection Toolkit to be usable without reference to detailed guidance.  

If you need further support please contact the helpdesk, watch the videosSee the Standards met guide or join a webinar.   Once logged in, you can use the feedback form to give us feedback and suggestions.

2. What is the Data Security and Protection Toolkit?
The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
All organisations that have access to NHS patient data and systems must use the DSPT to provide assurance that they are practising good data security and that personal information is handled correctly.
The DSPT is an annual assessment. As data security standards evolve, the requirements of the Toolkit are reviewed and updated to ensure they are aligned with current best practice. Organisations with access to NHS patient data must therefore review and submit their DSPT assessment in each financial year before the 31st March deadline.
The DSPT also provides organisations with a means of reporting security incidents and data breaches.

3. Why complete a DSPT assessment?
All organisations that have access to NHS patient information must provide assurances that they have the proper measures in place to ensure that this information is kept safe and secure. Completion of the DSPT is therefore a contractual requirement specified in the NHS England standard conditions contract and it remains Department of Health and Social Care policy that all bodies that process NHS patient information for whatever purpose provide assurances via the DSPT.
Completion of the DSPT is also necessary for organisations which use national systems such as NHSmail and the e-referral service.

4. Registration
To register to complete the DSPT you need an email address and your organisation’s ODS code. You can look up your ODS code by searching for your organisation on the ODS portal. If you do not have a valid organisation code or cannot find your organisation on the portal, you should log a query with the ODS team via the Exeter Helpdesk.
If you attempt to register and receive a message stating that your organisation already has an administrator, then you will have to contact this person directly as they will be responsible for adding new users for your organisation. If you do not know the identity of your organisation’s administrator, then please contact the Exeter Helpdesk.

5. First steps (organisation profile)
When you register and log in for the very first time, you will be asked to choose the most appropriate sector for your organisation, to provide details of key roles and whether you have any relevant certifications.  This is called the “organisation profile”.  The answers you give here – will tailor the questions you need to respond to in your assessment (see below).  You can change your answers later – and will be prompted to check this information when you publish an assessment.

6. The requirements
The requirements for the DSPT are tailored to your organisation type. Organisations such as NHS Trusts and Clinical Commissioning Groups will have to complete a more extensive assessment than a smaller organisation such as a dentist or an optician.
Guidance on selecting the correct organisation type for your organisation can be found on our help pages.
Information regarding the Toolkit Standard and a full list of the requirements for all organisation types for 2019-20 are provided on the DSPT news pages.

7. Completing an assessment
Following successful registration on the DSPT you should aim to complete a ‘standards met’ assessment. A guide is available here: Standards Met Guide. To complete a ‘standards met’ assessment you must respond to all the questions which are indicated as being mandatory. The questions you must complete are determined by your organisation type.
Social care organisation will be able to complete an ‘approaching standards’ assessment indicating that care providers who have demonstrated good progress but have not yet reached Standards Met. 
The DSPT is organised under the 10 data security standards. Under each standard there are a number of “assertions” which you will need to work through.  To complete each assertion, you are required to provide evidence items which demonstrate compliance with the assertion.  To achieve ‘standards met’, you must complete all mandatory evidence items.
Once all the mandatory evidence items have been completed and assertions confirmed you will be able to publish your DSPT. You can republish your assessment at any time if you need to make any changes to information you have provided.  You must however ensure that your organisation has published an assessment by 31st March every year.
Step by step guidance on completing the DSPT for social care organisations is also available.  This guidance may be of interest to any smaller organisation.  Please see section 12, below or See the Standards met guide.


8. Visibility of assessments

Once you have published your assessment, you will receive a confirmation email.  Your completed status can also be confirmed by using the Organisation Search function on the Toolkit – the content of which is updated every 10 minutes.
This displays your organisation’s toolkit status. No information on the content of your toolkit is available publicly.

9. Adding more users
Administrators can add additional users from the ‘manage users’ page.  This page is available to administrators only via the ‘Admin’ drop-down menu.  This page includes a description of the permissions / roles which are available.  If you require access – please speak to your local administrator.

10. Approaching Standards assessments
Social care organisations are eligible to complete an ‘Approaching Standards’ assessment indicating that care providers who have demonstrated good progress but have not yet reached Standards Met.
11. Completing the Data Security and Protection Toolkit to get NHS Mail
If your organisation is interested in adopting NHSmail – please visit the NHSmail support pages.  A dedicated NHSmail helpdesk is also available.


12. Support to Social Care organisations
In order to support Social care organisations that are new to the DSPT, specific social care guidance is available including responses to questions which are frequently asked by care providers.

13. Headquarters (HQ) assessments (organisations with multiple sites / branches)
If your organisation is made up of multiple sites or branches, which all follow the same policies and exist as a single legal entity, then you may choose to publish a single assessment at HQ level.  This assessment can then be applied to all the sites listed under the HQ.  The process for publishing an HQ assessment depends on your organisation type as follows:

13.1 HQ assessments for Social Care, Pharmacy or Optician organisations
You should complete the DSPT under the ODS code for your HQ or Head Office organisation.
When you come to publish your assessment, the Toolkit will display the list of sites related to the HQ, allowing you to select the sites you want to include in the submission. You can check your list of sites before you publish.  The list of related sites is taken from ODS data - if this is list is incorrect, please contact the Exeter Helpdesk at the earliest opportunity.
You may wish to publish for selected sites initially and then publish a further assessment later (including additional sites, when the list is corrected).
Detailed guidance on registering and publishing assessments (including those with complex legal structures) is also available. This guidance was initially written for social care but will also be helpful for other types of organisations.

13.2 HQ assessment for other sectors
Other sectors with a HQ / site structure should firstly, publish a DSPT assessment then, please log a call with the Exeter Helpdesk. In this request, please provide the list of ODS codes for your sites (in either table or spreadsheet format) and confirm that all sites follow the same processes as the organisation which has published.

Detailed guidance on registering and publishing assessments (including those with complex legal structures) is also available. This guidance was initially written for social care but will also be helpful for other types of organisations.
The helpdesk will then apply the published assessment to the list of sites you have provided.

14. Providing evidence for multiple separate organisations
For users who complete a separate toolkit for multiple organisations, there is a function which allows you to see how each organisation you support has responded to specific evidence items.  It also allows you to provide a new response to text, date and checkbox questions in bulk for multiple separate organisations in one go.
When you log in – you will see an option to ‘Provide evidence for multiple organisations in one go’.
For evidence items that require a document response, it is only possible to REVIEW responses in bulk.  Expansion of this functionality will be kept under consideration as we monitor usage of the new tool.

15. Incident reporting
It is the duty of all health and care organisations that process personal data to report any data breaches to the Information Commissioner’s Office via the DSPT within 72 of discovering an incident.  See further guidance on Incident Reporting.

16. Completing the toolkit using the incorrect ODS code
Where an organisation has completed their toolkit under the wrong ODS code their assessment can be transferred to the correct code. In this instance please contact the helpdesk.


17. Cyber Essentials + and ISO 27001 Certifications
If your organisation has a Cyber Essentials Certifcation covering all of your health and care data processing you record this in the Organisation Profile, availabel from the Admin menu. If your organisation has an ISO 27001 certification but does not have an option to record this in the Organisation Profile, please contact the helpdesk.


18. Standards Exceeded
If an organisation achieves Standards Met and has a current Cyber Essentials + certification recorded in its Organisation Profile then it's DSPT status will be displayed as Standards Exceeded.


19. Further help
If you require any further help, please see our responses to frequently asked questions