Briefing for CCGs and ICBs on Data Security and Protection Toolkit (21 October 2021)

Briefing for DSP Toolkit on CCGs and ICBs


Introduction and Background

The Data Security and Protection (DSP) Toolkit is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care (DHSC), notably the 10 data security standards set out by the National Data Guardian in the 2016 Review of data security, consent and opt-outs.

All organisations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. Such organisations are required to carry out self-assessments of their compliance against the assertions and evidence contained within the DSP Toolkit.


Integrated Care Boards

Subject to the passage of legislation, it is expected that Integrated Care Boards (ICBs) will be established on 1st April 2022 and Clinical Commissioning Groups (CCGs) will be abolished. ICBs will be established as Statutory bodies and will succeed CCGs. CCGs will be statutorily abolished and statutory obligations will be managed by ICB entities (via a transfer order).


Data Security and Protection Toolkit requirement for ICBs

Any ICBs formed by 1 April 2022 are required to complete and publish a DSP toolkit assessment by 30 June 2022.  This is to ensure there is no significant gap between the formation of the ICB and the requirement to complete a DSP Toolkit, thus providing a continuity of data security assurance.

If there were a long gap in data security assurance this would impact on local information sharing agreements and access to systems which are dependent on having a completed DSP Toolkit assessment.

Completing a DSP Toolkit early in the life of the ICB will be an opportunity to ensure data security and protection is considered and embedded at the outset of the new organisation.


ODS Codes

ICBs will inherit the Sustainability and Transformation Plans (STP) Organisation Data Service (ODS) codes. Further details, can be found at:

For DSP Toolkit purposes, ICBs will initially inherit STP Names though they will be amended to ICB names, when the ICB naming convention is agreed.

As CCGs close, their names will change to an agreed naming convention, i.e. NHS Doncaster CCG (Closed).


The ICB DSP Toolkit assessment



ICBs will be required to publish a DSP Toolkit by 30 June 2022.

There is no requirement for a CCG to publish a toolkit assessment before it is abolished on 31 March 2022. A CCG can voluntarily publish a DSP Toolkit, however, the successor ICB would still be required to publish their toolkit by 30 June 2022.

The ICB publication is for the legal entity of the ICB only. The DSP Toolkit does not cover all the organisations represented by the ICB.


Improvement Plans

The Improvement plan process will be available to newly formed ICBs when submitting their toolkit publication in June 2022.  There will be more flexibility on the number of items allowed in the improvement plan and a longer timescale for completion of actions than in the current process.


Baseline Publications

ICBs and CCGs are not required to complete a Baseline publication in February 2022 -  they can do so if they wish but this is entirely voluntary.



There is no requirement for ICBs or CCGs to complete a DSP Toolkit Audit for 2021-22. – though they can complete a DSP Toolkit audit but it is voluntary.

Evidence item 9.4.5 ‘What level of assurance (overall risk rating & confidence level rating) did the independent audit of your Data Security and Protection Toolkit provide to your organisation?’ will be exempted for ICBs for the 2021-22 DSP Toolkit.


Completing the ICB DSP Toolkit

ICBS will complete a Category 2 DSP Toolkit for 2021-22, (which is the same category that currently applies to CCGs) under a new Primary Sector of CCG/Integrated Care Board (ICB).

As the ICBs will inherit the STP codes, these are available now - further details at:

NHS Digital will set up accounts for the STP Organisations on the DSP Toolkit with blank assessments. and, once the ICB is legally established, will amend the organisation name to the ICB name. The blank assessment will not include any details from other DSP Toolkits.


Actions to take now

CCGs should begin working together in readiness for publishing an ICB DSP Toolkit in June 2022 covering the legal entity of the ICB.

To enable this to happen, the first task is to register a user to act as administrator for the ICB DSP Toolkit (which is currently set up under the STP Organisation code). The administrator can set up other users on the ICB DSP Toolkit. To register, one person from each future ICB should email with details of which ICB they represent. Once set up, the administrator can set up the other users who will require access and assign their access levels.

When accessing the blank DSP Toolkit assessment for the first time you will be asked to complete the Organisation profile.

- You should select CCG as your primary sector to ensure you receive the correct evidence items. The primary sector will be updated centrally to CCG/ICB shortly.

- The questions on the key roles of SIRO, Caldicott Guardian, IG Lead and DPO do not require a response at this stage and can be completed at any time prior to the    publication deadline of 30 June 2022.

Starting to complete an ICB DSP Toolkit should form part of the planning for the establishment of the ICB. The teams responsible for completing the DSP Toolkit should be creating a joint plan for the ICB.

Whilst some activities will not be possible until the organisation is legally established, there are several activities which may take some time so it would be helpful to begin planning these in advance. These activities include:

- Staff Awareness Training

- Understanding the combined Information Assets of the ICB and the Records of Processing Activity

- Understanding the position on supported software and operating systems

- Understanding Suppliers who process personal data across the ICB

- Developing policies and procedures and agreeing common formats

- Planning how incidents will be managed

- Understanding how existing spot check/assurance arrangements can be utilised and formed into a combined programme to be used as ICB evidence.



If the ICBs are not established, then the CCG will be required to publish a toolkit assessment before 30 June 2022.


Looking Ahead

The plan is for ICBs to be designated as Operators of Essential Services under NIS regulations and as such will be required to complete a Cat 1 DSP Toolkit in subsequent years. However, for the toolkit year 2021-22, ICBs will complete a Category 2 DSP Toolkit with the expectation that they will complete a Cat 1 Toolkit assessment for 2022-23.

The NHS X publication ‘What good looks like Framework’: contains some extra information on the role of ICBs in cyber security risk management.


Further information

The DSP Toolkit team will be running regular webinars for CCGs and ICBs on the DSP Toolkit. The next one is on Thursday 21 October 2021 12.30-13.30. Further details are available at: Slides from Webinar are available at:  2021-10-21 CCG-ICB Update .pdf

If you have any question in relation to  the DSP Toolkit, please contact us via the Exeter Helpdesk 


Supporting Documents