9. Frequently asked questions

This list will be subject to ongoing review.

 

Q – (GENERAL) Why does my organisation have to complete a Data Security and Protection Toolkit assessment?

A – This is covered in the “About the Data Security and Protection Toolkit” help document, available from: https://www.dsptoolkit.nhs.uk/Help/2

 ---------------------------

Q - (BASELINE ASSESSMENT) Does my organisation have to complete an October baseline assessment?

A - In 2019, if your organisation is a CCG, CSU, Government Arm's Length Body or NHS Trust (including Foundation Trust), it must complete an October baseline assessment. 

 ---------------------------

Q- I am using the new "Provide evidence for multiple organisations in one go" feature and sometimes I am only able to view answers, not change answers.  Why?

A- The '"provide evidence for multiple organisations in one go" function enables individuals to respond to text, date and checkbox questions in bulk.  For questions that require a document, it is only possible to review responses in bulk.  Expansion of this functionality will be kept under consideration as we monitor usage of the new tool.  We need to be satisfied that the feature is easy to use, popular and that performance & speed is acceptable.

 ---------------------------

Q – (INCIDENT REPORTING) How do I edit an incident?

A – It is not possible to edit an incident.

The scope of the DSPT incident reporting system is limited to the initial notification to regulators. Once notified, the incident is managed by the ICO using their case management system.

Where an incident has been reported to the ICO / DHSC, any further updates should be brought to the attention of the ICO directly. 

It is acknowledged that information held on the DSPT reflects the best understanding at the point the incident was initially notified. 

---------------------------

Q – (DATA QUALITY) Is Data Quality limited to clinical coding in the DSPT / Is Clinical Coding included in the DSPT?

 A –  Whilst clinical coding represents a vital portion of data quality and is included in the DSPT, it is not the only element. We have worked with our colleagues in Data Quality Assurance to produce guidance to cover more elements of data quality other than clinical coding in a large organisation and for smaller organisations. This guidance is now published.

Guidance on data quality and clinical coding audits is available in "Data Security Standard 01 - Personal confidential data big picture guide" https://www.dsptoolkit.nhs.uk/Help/23 

   ---------------------------

Q – (ORGANISATION PROFILE) We run a hospital but also some GP practices. Which sector should we choose?

A – You should pick the sector which reflects the largest bulk of the work you undertake as an organisation. 

For more information, please see “organisation types” guidance, available via the help menu.

 ---------------------------

Q – (ORGANISATION PROFILE) The organisation profile asks if I have NHSmail, I don’t, but I do use another secure email provider (e.g. Office 365). Please can this be added to the organisation profile?

A – Where an organisation confirms NHSmail is the only email system used, there are a small number of evidence items which the organisation no longer needs to provide.

We recognise that NHSmail is not the only secure email service, however, at this stage we do not intend to add further options.

We do not believe it is feasible for organisations to reliably and consistently self-certify that they have an alternate secure email service, in a way which avoids adding additional complexity and burden to the organisation profile process for all users.

This will be kept under review.

---------------------------

Q - (NHSMAIL SOCIAL CARE) I’m a social care provider and I have completed the DSPT entry level assertions, how can I join NHSmail? 

You can now publish an publish an entry level assessment (see https://www.dsptoolkit.nhs.uk/News/33 )

You should proceed with your NHSmail registration and confirm your information governance compliance via the NHSmail care home portal registration tool. (https://portal.nhs.net/Registration#/careprovider)

---------------------------

Q – (ORGANISATION PROFILE) Once I have completed my organisation profile, can my responses be changed?

 A – Yes, an organisation profile can be changed at any time by an administrator, by using the admin menu. For example, your organisation may gain Cyber Essentials PLUS accreditation during the year, and you may wish to update your organisation profile accordingly.

---------------------------

Q – (ORGANISATION PROFILE) Do I need Cyber Essentials Plus to complete a toolkit self assessment?

A – No.  If you do not have Cyber Essentials PLUS accreditation simply choose "no" or "don't know" when prompted.  Where organisations do hold Cyber Essentials PLUS they do not have to respond to some toolkit questions, but Cyber Essentials Plus certification is not mandatory. 

The same principle applies to any questions you may be asked about ISO 27001, NHS Mail, Pharmacy GDPR Workbook and PSNIA certification.

---------------------------

 Q – (THE STANDARD) Do requirements vary between sectors?

 A – Yes, the assertions and evidence items are tailored depending on your organisation type. For example, a domiciliary care organisation will see a sub-set of those items which an Acute Trust (for example) would be expected to provide, and the language will be tailored to be appropriate for a smaller organisation.

 ---------------------------

Q – (GENERAL) Our company is made up of several divisions… should we complete one assessment or one for each division?

 A – If you are a single legal entity and have a single ICO registration but have multiple sites, one toolkit could cover them all. Please contact the helpdesk and we will provide access to Headquarters "HQ" functionality and/or help you publish for all your sites.

If you have multiple legal entities, with multiple ICO registrations, it is unlikely that a single toolkit will cover everything. We would be happy to discuss how atypical organisations can make best use of the toolkit.

 ---------------------------

Q – (GENERAL) What does “beta” mean?

A – The “beta” logo indicates that the service is still subject to further development. For more information, please see the “system changes and release notes” article on the news page.

---------------------------

Q – (REPORTING) As a CCG, can we quickly identify the status of providers in our area?

A – This information is available from https://www.dsptoolkit.nhs.uk/News/34.

 ---------------------------

Q – (TRAINING) Staff surveys and the e-learning for health data security training are frequently mentioned within the toolkit. Do we have to use this training? Will the e-learning for health system automatically feed the DSP?

A – Organisations are encouraged to use the national e-learning for health training tool.

Use of local training is however acceptable where the SIRO (or equivalent) has formally confirmed that local training is of an equivalent or higher standard.

Where the Data Security and Protection Toolkit requests training KPIs, these should be entered on the system manually (our user research to date has indicated that users prefer no automation).

You can view the 'e-learning FAQs' at https://www.dsptoolkit.nhs.uk/News/30 

---------------------------

Q: Hi we are an Independent sector healthcare provider (ISHP)/ Non-NHS organisation applying for NHSmail. Do we have to do the DSP Toolkit at HQ/ Provider level or at a site by site level.

 

You will be required to complete a DSP Toolkit at HQ/ Provider level. Further information is available at https://www.digitalsocialcare.co.uk/latest-guidance/registering-for-the-data-security-and-protection-toolkit/ on registering sites and HQs. it was writeeen for social care sector but the advice is the same for ISHPs.  

---------------------------

Q – (SUPPORT) Who should I contact if I have any queries?

Please contact the helpdesk if you have any queries. Contact details are available from the contact us page.

We appreciate your feedback, but please note that we are unable to respond to specific queries raised through the ‘feedback’ function. Please use the helpdesk for this purpose.

---------------------------