What is the Data Security and Protection Toolkit (DSPT)?
The DSP (Data Security and Protection) Toolkit is an National Health Service (NHS)-specific security and privacy assessment tool. You can see more information at https://www.dsptoolkit.nhs.uk/.
What is the purpose of the Data Security and Protection Toolkit (DSPT)?
The DSP (Data Security and Protection) Toolkit allows organisations to measure their performance against the National Data Guardian's 10 data security standards, as well as supporting compliance with legal and regulatory requirements (e.g. the GDPR and NIS Directive) and Department of Health and Social Care policy. It is one of several mechanisms in place to support Health and Social Care organisations within the UK to manage data security and data protection risk.
What organisations does the DSPT apply to?
The DSP Toolkit is often mentioned as being applicable to organisations which "access NHS patient data and systems". However, this is a broad and somewhat ambiguous description: the DSPT guide specifically refers to those organisations that process NHS patient data; have continuing healthcare services funded by the NHS; or have access to national informatics services.
Specifically, this is intended to include healthcare providers outside the NDS, such as adult social care services in England, including residential and nursing homes, supported living, homecare, extra care, shared lives and day service.
Registration for the DSPT requires an organisation to be a registered with NHS Digital as an "Organisation or Practitioner" on the above basis. Such organisations will have a unique "ODS code" as a registered care provider.
In-scope organisations carrying out their first assessment should complete this in line with the contract of services they are party to, or as required by the tendering process they are involved in.
The NHS data specifically intended to be in-scope for requirement for DSPT to be completed are the NHS services offered to support the operation of third-party health and social care provider organisations and businesses, including:
- GP Connect;
- Local shared care records;
- Proxy access to GP records;
- Proxy access for medication ordering; and
- Summary care records.
What does the DSPT cover?
The tool kit covers such areas as privacy and data protection policies, how you store and backup data, how you secure mobile devices, business continuity in the event of a cyber incident and how you manage your IT security and support.
How is DSPT compliance assessed?
The Data Security and Protection Toolkit is assessed initially by organisations themselves via an online self-assessment tool.
The submitted responses may then be audited via one of a number of registered independent assurance and audit providers. All DSPT independent assessment/audit providers must follow the guidance provided by NHS Digital in their assessment guides.
Has AppCheck completed a DSPT assessment?
AppCheck have not to date completed an assessment against the DSPT. Since AppCheck is not a registered care provider; does not access in-scope NHS systems, and has not been issued an ODS code, it is our current understanding that DSPT assessment is not required by our business.
AppCheck does however fully commit to data protection and security, having assessed its GDPR preparedness, and gaining ISO27001 accreditation/certification. More details on these and other commitments to security and privacy can be viewed on our compliance webpage at https://appcheck-ng.com/compliance/
Should you believe that AppCheck should complete a DSPT self-assessment in order to scan a service that you operate and which contains NHS patient or other confidential data, then please contact your account manager for further assistance.