Guidance for all NHS Trusts, ICBs, CSUs and DHSC Arms Length Bodies to have a DSPT Audit to the required mandatory scope and framework methodology.
Update 5/6/23
This year 22/23 deadline 30/6/23, you should ask your external auditor to submit the independent assessment / audit information on behalf of your organisation.
The enhanced functionality is now live (5/6/23)
Auditor access
You should give your appointed external auditor access to submit details of the independent assessment / audit information.
You should:
You may provide audit information on behalf of your organisation but any information you submit will be considered 'unverified' and may be subject to additional validation and rectification post deadline (via the toolkit using the enhanced audit functionality)
Audit Report not available
If your organisation is unable to provide an independent assessment / audit report for the current toolkit year, you must provide further details (via the toolkit using the enhanced audit functionality)
If for any reason the audit organisation has stated they will be unable to issue an audit report in time please ask that audit organisation to contact us as soon as possible.
Background:
All DSPT independent assessment/audit providers must follow the guidance provided at: https://www.dsptoolkit.nhs.uk/Help/Independent-Assessment-Guides.
The purpose of the guidance is to enable better assurance of DSPT submissions by increasing standardisation and harmonisation across assessments. It will also facilitate a better understanding of data security and protection risk themes across the health and care system.
It is mandated via the NHS Standard Contract and the DSPT requirement that the following NHS organisations annually complete a DSPT audit/independent assessment following this guidance
- NHS Trusts (Acute, Foundation, Ambulance and Mental Health)
- Integrated Care Boards
- Commissioning Support Units
- DHSC Arm’s Length Bodies
Organisational Requirements:
Organisations must ensure that their audit provider follows the mandated scope which for this year (mandatory evidence items only) is set out in the DSPT Independent Assessment Guide and detailed below:
1.3 Accountability and Governance in place for data protection and data security
2.1 Staff are supported in understanding their obligations under the NDGs Data Security Standards
3.4 Leaders and board members receive suitable data protection and security training
4.1 The organisation maintains a current record of staff and their roles
4.2 Org. assures good management and maintenance of identity and access control for NIS
4.5 You ensure your passwords are suitable for the information you are protecting
5.1 Process reviews are held at least once per year where data security is put at risk and following DS incidents
6.3 Known vulnerabilities are acted on based on advice from NHS Digital, and lessons are learned from previous incidents and near misses
7.2 There is an effective test of the continuity plan and disaster recovery plan for data security incidents
7.3 You have the capability to enact your incident response plan, including effective limitation of impact on your essential service. During an incident, you have access to timely information on which to base your response decisions
8.3 Supported systems are kept up-to-date with the latest security patches
9.3 Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities
10.1 The organisation can name its suppliers, the products and services they deliver and the contract durations
Organisational Audit provider requirement
Organisations shall ensure that their chosen audit provider is aware of the mandated framework which needs to be followed. The hallmark of the methodology is an output which includes: a risk rating against each of the 10 data security standards; an overall risk rating (based on the 10 individual ratings); and an overall confidence rating.
The example in the link below is from a previous year’s report (i.e. a different scope applies this year)
The presentation of these items can vary but it is vital that they are present, and that the framework is utilised in full
To meet the requirement, the audit functionality must be used.
