Data Security and Protection Toolkit (Version 3) 2020-21.

The Data security and Protection Toolkit is an annual self-assessment.  The deadline for the 2020-21 publication is 30 June 2021.

The 2020-21 requirements are provided on this page, together with details of any changes.

Updated Big Picture guides are available along with updated Audit guides.

 

Key updates for the 2020-21 standard

NHS Trusts - Category 1

Evidence items rationalised where they are now considered “business as usual” or where there is overlap between evidence items.

Extra evidence items on Backups and Technical requirements

Technical evidence items move to Mandatory from Non mandatory particularly items covering Cyber Essentials.

CE+ On site assessment is a non-mandatory requirement for 20-21.

 

CCGs, CSUs and DHSC ALBS - Category 2

Evidence items rationalised where they are now considered “business as usual” or where there is overlap between evidence items.

Additional evidence items have been added relating to Backups and Technical requirements

CE+ On site assessment is a non-mandatory requirement for 20-21.

CCGs who are merging before 30 June 2021, should complete and publish their assessment before the merger. The newly merged CCG would not be expected to publish a further assessment during 20-21.

 

Primary Care (excluding GPs), Social care, Companies, Charity/Hospice, Researchers/Universities, Companies, Local Authorities, NHS Business Partners - Category 3

Evidence items updated to aid understanding with additional information provided to support completion.

Evidence items rationalised where there is overlap between evidence items.

Additional evidence items have been added relating to mobile devices and paper records

 

GP - Category 4

Evidence items updated to aid understanding with additional information provided to support completion.

 

In-year updates

Since launching the 2020-21 standard, the following changes have been made:

22 April 2021: Changes have been made to guidance for requirement 1.6.6 for Category 3.

30 April 2021: Requirement 1.4.4. (national data opt out) has been made non mandatory to reflect current deadlines.

30 April 2021: Changes have been made to guidance for requirement 9.4.6 for Category 1 and 2 organisations.

Supporting Documents