Your web browser does not appear to have javascript enabled.

The Data Security and Protection Toolkit requires javascript to be enabled.

If you are unable to re-instate the javascript option on your browser please contact us and we will be able to help.

CCG/ICB Briefing (24 February 2022)

An update on actions to be taken for CCGs and ICBs for the 21-22 DSP Toolkit.

Introduction and Background

The Data Security and Protection (DSP) Toolkit is an online tool that enables relevant organisations to measure their performance against the data security and information governance requirements mandated by the Department of Health and Social Care (DHSC), notably the 10 data security standards set out by the National Data Guardian in the 2016 Review of data security, consent and opt-outs.

All organisations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly. Such organisations are required to carry out self-assessments of their compliance against the assertions and evidence items contained within the DSP Toolkit.

Integrated Care Boards

The Health and Care Bill, currently going through Parliament, sets out plans to put Integrated Care Systems (ICSs) on a statutory footing, empowering them to better join up health and care services, improve population health and reduce health inequalities.

The current proposals mean that each ICS would be led by an Integrated Care Partnership (ICP), a statutory committee bringing together all system partners to produce a health and care strategy for the local population. Each ICP will include as one of its partners an NHS Integrated Care Board (ICB), an organisation with responsibility for certain NHS functions and budgets. When ICBs are legally established, clinical commissioning groups (CCGs) will be abolished.

It was originally expected that these changes would come in to effect in April 2022. However, this target date has now been changed to 1 July 2022 to allow more time for the remaining parliamentary stages. See the NHS England » 2022/23 priorities and operational planning guidance for more information.

Key Messages

With the formation date for ICBs being 1 July 2022, the contingency arrangements for CCGs completing the DSP Toolkit for 21-22 are triggered.

- CCGs are required to complete the DSP Toolkit for 21-22, with a deadline of 30 June 2022.
- CCGs are not required to complete a baseline assessment for 21-22
- CCGs are not required to complete a DSP Toolkit audit for 21-22.
- ICBs are not required to complete the DSP Toolkit for 21-22.
- ICBs will complete the DSP Toolkit in 22-23.

ODS Codes

CCGs should complete the DSP Toolkit using their current ODS Code and DSP Toolkit registration.

Publication

CCGs will be required to publish a DSP Toolkit by 30 June 2022.

There is no requirement for an ICB to publish a toolkit assessment for 21-22. An ICB can voluntarily publish a DSP Toolkit, however, the CCG would still be required to publish their toolkit by 30 June 2022.

Improvement Plans

The Improvement plan process will be available to CCGs when submitting their toolkit publication in June 2022. There will be additional information required to ensure any outstanding actions are understood and transferred to the ICB.

Baseline Publications

CCGs are not required to complete a Baseline publication in February 2022 they can do so if they wish but this is entirely voluntary.

Audit

There is no requirement for CCGs to complete a DSP Toolkit Audit for 2021-22 – though they can complete a DSP Toolkit audit, but it is voluntary.

Evidence item 9.4.5 ‘What level of assurance (overall risk rating & confidence level rating) did the independent audit of your Data Security and Protection Toolkit provide to your organisation?’ will be exempted for CCGs for the 2021-22 DSP Toolkit.

Actions to take now

CCGs should complete their DSP Toolkits for 21-22.
CCGs should also continue working together in readiness for the transfer to ICB DSP Toolkits for 22-23.

Looking Ahead

The plan is for ICBs to be designated as Operators of Essential Services under NIS regulations and as such will be required to complete a Cat 1 DSP Toolkit for 2022-23.

The NHS X publication ‘What good looks like Framework’: contains some extra information on the role of ICBs in cyber security risk management.

Further information

The DSP Toolkit team will be running regular webinars for CCGs and ICBs on the DSP Toolkit with the next one on 8 March 2022 at 12.30. Further details are available at: https://www.dsptoolkit.nhs.uk/News/webinars

If you have any question in relation to the DSP Toolkit, please contact us via the Exeter Helpdesk: https://www.dsptoolkit.nhs.uk/Home/Contact