I have been providing NHS Data Security and Protection Toolkit guidance and audits for the last few years now. New companies enter the space, criteria gets expanded and changed, the deadline creeps up on people, and then we prepare to do it all again next year. I quite like it!
I realise, however, that I may be in the minority. Still, I would like to offer some help to organisations out there. So here are the most common questions I have been asked in my time.
What is the DSPT and why is it required?
The NHS DSPT is an online self-assessment tool that organisations use to measure your implementation of data protection and information security against the National Data Guardian standards.
Who needs to complete the DSPT?
Any organisation who has access to NHS patient data and systems must complete the DSPT. Ideally, the person or team responsible for safeguarding personal data should lead the self-assessment. The IT team are likely to have some input so involving them from the start can be helpful!
Does my organisation need to complete the DSPT?
I appreciate that ‘any organisation that has access to NHS patient data and systems’ is not an overly helpful description.
In practice, if your organisation in any way has access to NHS patient data then you are in scope. This can range from you being an external service that sees NHS patients or even an IT service that provides a niche program. If that program sees NHS data and you can access it, you likely need to fulfil the DSPT.
My organisation is only small, do I still need to complete it?
The DSPT categorises organisations into Category 1, 2, 3 and 4 based on a number of criteria, one of which is size. Regardless of how much data you process as an organisation, if you process any level of NHS patient data you will be required to complete the Toolkit.
You will have fewer requirements as a smaller organisation, however you will likely also have less manpower. My best piece of advice for organisations struggling to meet the demands is to start early. The earlier you identify an issue with your submission, the more time you will have to resolve it!
What is the difference between Standards Met and Standards Exceeded?
This is a question that went away and came back again. I, for one, am happy to see the return of standards exceeded.
There is no material difference aside from the wording on your certificate when you submit your Toolkit. Though, there is an argument if someone that has tendered for an NHS contract competes against another organisation, one having Standards Met and one having Standards Exceeded may sway the decision!
The requirements, however, are much different. Standards Met can be achieved without any certification, but Standards Exceeded (at least for Version 8) requires a recent Cyber Essentials PLUS certification.
What happens if the DSPT is not completed?
If you have not submitted your DSPT by the deadline, you will not receive your certificate. When you supply to an NHS organisation, you are almost always required to attach your DSPT certification if the service involves personal data. Not being able to provide that limits your ability to compete and to show that you uphold high standards for data protection.
How long does it usually take to complete?
How long is a piece of string? It takes as long as it takes. You can speed up the process by ensuring you have the evidence ready and by preparing well.
How do you prepare for the DSPT?
NHS England releases changes for the DSPT in September, giving organisations months between the release of the criteria and the submission. You can check the mandatory areas long before the deadline and I actively encourage organisations to do so.
What evidence do we need to provide for DSPT?
The DSPT has some hard evidence requirements. For example, you will need a data protection policy. However, much of the DSPT is open. For much of the submission you need to be able to demonstrate that your solution meets the requirement of the criteria.
Each submission point on the DSPT has a list of suggested evidence which NHS England indicates would be acceptable. Rarely is the evidence required to demonstrate a criteria prescriptive. As with the changes, the evidence suggestions are also usually released in September so you can have plenty of time to prepare.
Do we need Cyber Essentials or ISO27001 to pass the NHS DSPT?
You do not require either certification. However, both make certain evidence items exempt. A combination of the two removes a good portion of required evidence, provided you upload the evidence of your ISO or Cyber Essentials certifications.
Does my organisation require an audit?
The only organisations that need an audit are the ones that are placed in Category 1 or Category 2. If you are looking for an organisation to audit your submission, I hear one can be found here.
How do we manage the DSPT across multiple sites?
The NHS DSPT has a function labelled ‘Provide evidence for multiple organisations in one go’ which significantly reduces the time needed to repeat the DSPT across multiple organisations.
However, this function only works for checkboxes, text or date questions. If the evidence required is a document upload, that must be done on the organisation’s individual profile.
Our organisation has multiple areas that fit within these sectors, which one do we choose?
The example I have worked with in the past was a private hospital that also ran some GP practices. These are different sectors under the DSPT. For this kind of situation, NHS England recommends that your DSPT submission reflects the bulk of your offering.
Who do we contact if we have any queries around the Toolkit?
NHS England are responsible for the Toolkit and they remain the best place to solve your queries. This can range from questions around evidence requirements to needing help with selecting your organisation’s category.
Where can we go for help with our actual submission?
As it so happens, you’re here! At DPAS we can offer assistance, guidance or auditing services around the submission of your DSPT.
There are other services out there, but this is my common questions so I get to decide who I promote!
Want to learn more?
Join our upcoming webinar…
