Data Security and Protection Toolkit (Version 4) 2021-22


The Data Security and Protection Toolkit is an annual self-assessment. The deadline for the 2021-22 publication is 30 June 2022.

Updated Audit Guides are available at https://www.dsptoolkit.nhs.uk/Help/Independent-Assessment-Guides

A spreadsheet listing requirements is available here: DSPT Requirements 21-22 1.02.xlsx

Further information on the standard is published on the NHS Digital website

 

Key updates for the 2021-22 standard


NHS Trusts and CSUs - Category 1

Rationalise evidence items where they are now considered “business as usual” or where there is overlap between evidence items.

Update technical requirements to reflect the current threat landscape, including connected medical devices. Specific Improvements on Unsupported Operating systems and asset criticality assessment.

Map requirements to the Information Commissioner’s Office Data Protection Self Assessment.

Commissioning Support Units (CSUs) have moved from Category 2 to Category 1.

Reflect feedback from stakeholders and organisations.

CE+ On site assessment is a non-mandatory requirement for 21-22.

 

CCGs, and DHSC ALBS - Category 2

Rationalise evidence items where they are now considered “business as usual” or where there is overlap between evidence items.

Update technical requirements to reflect the current threat landscape.

Map requirements to the Information Commissioner’s Office Data Protection Self Assessment.

Reflect feedback from stakeholders and organisations.

CE+ On site assessment is a non-mandatory requirement for 21-22.

Subject to the passage of legislation, it is expected that Integrated Care Boards (ICBs) will be established on 1st April 2022. The ICB will be responsible for submitting a Data Security and Protection Toolkit (DSPT). 

In the event that ICBs are not yet established on the 1 April 2022, the responsibility for submitting the DSPT will remain with existing CCGs.

CCGs or ICBs must publish a DSP Toolkit for 2021-22 by 30th June 2022.

 

Primary Care (excluding GPs), Social care, Companies, Charity/Hospice, Researchers/Universities, Companies, Local Authorities, NHS Business Partners - Category 3

Evidence items updated to aid understanding with additional information provided to support completion.

Evidence items rationalised where there is overlap between evidence items.

 

GP - Category 4

Evidence items updated to aid understanding with additional information provided to support completion.

Supporting Documents