Frequently asked questions (updated 12th March 2019)

This list will be subject to ongoing review.


Q – (GENERAL) Why does my organisation have to complete a Data Security and Protection Toolkit assessment?

A – This is covered in the “About the Data Security and Protection Toolkit” help document, available from:


Q - (BASELINE ASSESSMENT) Does my organisation have to complete an October baseline assessment?

A - If your organisaiton is an NHS Trust, including Foundation Trusts, it has to complete an October baseline assessment. If you are any other sort of organisation you do not have complete an October Baseline Assessment.


Q - (BASELINE ASSESSMENT) Are details of the October baseline available to the public?

A - The only details available to the public will be whether you have completed an October baseline assessment and what date you published it.


Q - (BASELINE ASSESSMENT) Does the October baseline assessment have to meet a minimum standard?

A - The baseline does not have to meet a minimum standard and should be an assessment of where you organisation is currrently, in terms of self assessment against the Data Security and Protection Toolkit Standard.


Q – (INCIDENT REPORTING) If my organisation suffers a data breach / incident, should this be reported via the Data Security and Protection Toolkit, or the old IG Toolkit?

A – Please use the Data Security and Protection Toolkit for incident reporting.

We have worked with the Information Commissioner’s Office to develop a new GDPR compliant service.  Further guidance is available from:


Q – (INCIDENT REPORTING) How do I edit an incident?

A – It is not possible to edit an incident.

The scope of the DSPT incident reporting system is limited to the initial notification to regulators. Once notified, the incident is managed by the ICO using their case management system.

Where an incident has been reported to the ICO / DHSC, any further updates should be brought to the attention of the ICO directly. 

It is acknowledged that information held on the DSPT reflects the best understanding at the point the incident was initially notified. 


Q – (DATA QUALITY) Is Data Quality limited to clinical coding in the DSPT / Is Clinical Coding included in the DSPT?


A – For the data quality assertions and evidence items (as shown on the table below), it is recognised that, whilst clinical coding represents a vital portion of data quality and is included in the DSPT, however it is not the only element. We have worked with our colleagues in Data Quality Assurance to produce guidance to cover more elements of data quality other than clinical coding in a large organisation and for smaller organisations. This guidance is now published.

If you have already started your data quality assurance before the new guidance became available, your assertion will be accepted for the first year of the Data Security and Protection Toolkit published assessment (2018/19).

Guidance on data quality and clinical coding audits is available in the  Data Security Standard 01 Personal confidential data big picture guide.pdf


Effective data quality controls are in place 


Effective data quality controls are in place.

There is policy and staff guidance on data quality.

In line with the organisation's data quality policy, there is guidance for staff that includes how to ensure the accuracy of personal information and how to correct errors.  


The scope of the data quality audit was in line with guidelines.

See Data Quality Audit Guidance


Date of last data quality audit.

Regular data quality reviews of electronic and manual records are held to ensure the information continues to be accurate and adequate for the purposes of processing (for which it was collected).


Overall findings of last audit of data quality.

Please do not include any elements of the audit that are sensitive.

For the next version of the toolkit v2 (2019/20), the wording of the assertions is being refined to add more clarity.


Q – (ORGANISATION PROFILE) We run a hospital but also some GP practices. Which sector should we choose?

A – You should pick the sector which reflects the largest bulk of the work you undertake as an organisation. We will be introducing functionality later in the year to allow organisations to report into other sectors where appropriate.

For more information, please see “organisation types” guidance, available via the help menu.


Q – (ORGANISATION PROFILE) The organisation profile asks if I have NHSmail, I don’t, but I do use another secure email provider (e.g. Office 365). Please can this be added to the organisation profile?

A – Where an organisation confirms NHSmail is the only email system used, there are (up to) three evidence items which the organisation no longer needs to provide.

We recognise that NHSmail is not the only secure email service, however, at this stage we do not intend to add further options.

We do not believe it is feasible for organisations to reliably and consistently self-certify that they have an alternate secure email service, in a way which avoids adding additional complexity and burden to the organisation profile process for all users.

This will be kept under review.


Q - (NHSMAIL SOCIAL CARE) I’m a social care provider and I have completed the DSPT entry level assertions, how can I join NHSmail? 

You can now publish an publish an entry level assessment (see )


Q – (ORGANISATION PROFILE) Once I have completed my organisation profile, can my responses be changed?

 A – Yes, an organisation profile can be changed at any time by an administrator, by using the admin menu. For example, your organisation may gain Cyber Essentials PLUS accreditation during the year, and you may wish to update your organisation profile accordingly.


 Q – (THE STANDARD) Do requirements vary between sectors?

 A – Yes, the assertions and evidence items are tailored depending on your organisation type. For example, a domiciliary care organisation will see a sub-set of those items which an Acute Trust (for example) would be expected to provide, and the language will be tailored to be appropriate for a smaller organisation.


Q – (THE STANDARD) What has happened to level 1, 2, 3? What does ‘good’ look like? 

A – The new toolkit does not feature levels 1, 2 and 3. To meet the new standard, organisations must respond to all evidence items which are identified as mandatory, and confirm the associated ‘assertions’.

Further guidance on what constitutes a “good” self-assessment will be provided during 2018, along with guidance to support new, smaller organisations to meet the expected standard.


Q – (GENERAL) Our company is made up of several divisions… should we complete one assessment or one for each division?

 A – The general guidance on which organisations need to complete the toolkit is unchanged. 

If you are a single legal entity and have a single ICO registration but have multiple sites, one toolkit could cover them all. If you have multiple legal entities, with multiple ICO registrations, it is unlikely that a single toolkit will cover everything. We would be happy to discuss how atypical organisations can make best use of the toolkit.


Q – (GENERAL) What does “beta” mean?

A – The “beta” logo indicates that the service is still subject to further development. For more information, please see the “system changes and release notes” article on the news page.


Q – (IG TOOLKIT ACCESS) Will we still be able to access the old toolkit for a period to access past reports?

A – Yes this will remain available throughout 2018/19 and would only be discontinued with prior notice.


Q – (REPORTING) As a CCG, can we quickly identify the status of providers in our area?

A – This information is available from  It is anticipated that further functionality will be developed during 2018/19. Information from IG Toolkit 14.1 published assessments is available from the IG toolkit.


Q – (BULK SUBMISSIONS) We are a pharmacy chain, where is the bulk submission function?

A - It is planned to be released later this year. Please begin work on your HQ assessment to familiarise yourself with the evidence items and what pharmacies will have to undertake.


Q – (TRAINING) Staff surveys and the e-learning for health data security training are frequently mentioned within the toolkit. Do we have to use this training? Will the e-learning for health system automatically feed the DSP?

A – Organisations are encouraged to use the national e-learning for health training tool.

Use of local training is however acceptable where the SIRO (or equivalent) has formally confirmed that local training is of an equivalent or higher standard.

Where the Data Security and Protection Toolkit requests training KPIs, these should be entered on the system manually (our user research to date has indicated that users prefer no automation).

You can view the 'e-learning FAQs' at 


 Q – (SUPPORT) Who should I contact if I have any queries?

Please contact the helpdesk if you have any queries. Contact details are available from the contact us page.

We appreciate your feedback, but please note that we are unable to respond to specific queries raised through the ‘feedback’ function. Please use the helpdesk for this purpose.