New guidance available for DSPT Independent Assessment Providers, including Internal Auditors

Introduction

We have been working with PwC to create new assessment guidance for the DSPT, to replace the previous guidance: A Question of Balance.

The new guidance, "Strengthening Assurance", includes:

- DSP Toolkit Independent Assessment Framework

- DSP Toolkit Independent Assessment Guide

- DSP Toolkit Independent Assessment Summary of Guides

 These are now available on the DSPT ‘help’ page: https://www.dsptoolkit.nhs.uk/Help/64

  *****Note The deadline for completing the DSP Toolkit has been extended to 30 September 2020 and these guides are valid until then********

Organisations in scope

The guidance is designed to be used by DSPT independent assessment providers, including internal auditors, when assessing DSPT submissions. The organisations in scope for mandatory annual audits of their DSPT self-assessments are:

- NHS Trusts (Acute, Foundation, Ambulance and Mental Health)

- Clinical Commissioning Groups

- Commissioning Support Units

- Arm’s Length Bodies

 

Notes

Please note that the guidance is still in development and is subject to change following further review. However, any audits completed following this guidance are still valid.

Whilst the guidance is available to adopt now, to avoid disruption to current audit schedules, existing audit and assurance methods are acceptable until 31st March 2020.

The purpose of the new guidance is to enable better assurance of DSPT submissions by increasing standardisation and harmonisation across audits and assessments. It will also facilitate a better understanding of data security and protection risk themes across the health and care system. 

The guidance and its implementation have been reviewed and refined following feedback from several stakeholders. Thank you to The Internal Audit Network (TIAN), including: Audit 360, ASW Assurance, MIAA, TIAA and West Midlands Ambulance Service NHS Foundation Trust, for their time and effort in reviewing the guidance and providing feedback and support.

We have also gratefully received input from our colleagues within NHS Digital's Assurance and Risk Management team.

 

Scope for 2019-20

For independent assessment or internal audit providers wishing to implement the new guidance, we have developed a recommended scope for assessments 19-20:

- Org Profile Check - Check sector, key roles (Mail system & CE plus scope - validity)

- 17 Selected Assertions (mandatory evidence items only) - 1.2, 1.4, 1.6, 1.8, 2.1, 3.2, 4.4, 5.1, 6.2, 6.3, 7.2, 8.4, 9.1, 9.2, 9.6, 9.7 and 10.2

- 3 Assertions locally determined - Any assertions in the DSPT not pre-selected

 

Opportunity to be involved:

We appreciate that the guidance still requires testing and trialling and will require further refinement. Therefore, we welcome any feedback and will take your comments into consideration when updating the guidance to reflect the 20-21 standard (April 2020).

Our next step will be to test the new guidance in a pilot phase; we are looking for a minimum of five trusts to volunteer to have their annual audit carried out under the new guidance. Any audits carried out as part of the pilot will be funded by NHS Digital and will qualify as a DSP Toolkit annual audit. If you are interested in being a part of this pilot, please contact: cybersecurity@nhs.net, referencing DSPT Audit Pilot