Data Security and Protection Toolkit https://www.dsptoolkit.nhs.uk/

Re-Designing the IG Toolkit Provide time to implement the data security standards by reducing burden and duplication in the toolkit. KPIs that leaders can recognise and utilise to change culture. Making the first step more straightforward for smaller organisations. Listening to our stakeholders and piloting the new toolkit. Keeping the toolkit flexible and updated more regularly. Develop suitable guidance.

Why is it Changing Static for a long period of time GDPR New Threats Move to continuous improvement model NDG Report

Understanding what the NDG review says on information governance It’s about Trust! “Trust cannot be ensured without secure systems…” People trust the health and care system to protect information. IG must support digital transformation otherwise the risk of breaches increase and trust will be lost.

General Update The requirements of the Data Security and Protection Toolkit (DSPT) are designed to encompass the National Data Guardian review’s 10 data security standards. The requirements of the DSPT support key requirements under the General Data Protection Regulation (GDPR), identified in the NHS GDPR checklist. The IG Toolkit assessed performance against three levels 1, 2 and 3. Organisations were required to provide evidence of compliance with (at least) level 2 for all elements of their assessment. The DSPT does not include levels and instead requires compliance with assertions and (mandatory) evidence items. The assertions and evidence items are designed to be concise and unambiguous. Documentary evidence is only requested where this adds value. Some evidence items will not be required where an organisation uses NHSmail, or has in place an existing relevant standard (Cyber Essentials PLUS, ISO 27001, Public Service Network Information Assurance).

How does the scoring work The assertions sit under each standard. Evidence items sit under assertions and represent an indicator of maturity in that area For an Organisation to be Satisfactory they have to complete all of the mandatory items in their toolkit. https://www.dsptoolkit.nhs.uk/Help

Assertions The assertions are not as prescriptive as the predecessor standard contained within the information governance toolkit. Assertions and associated evidence form an indication of good practise not a complete predefined framework allowing greater local integration. Assertions are a confident and forceful statement of fact or belief. Evidence items are used to support the assertion.

Assertion Owners There is an optional ability to allocate an owner of each assertion. The Assertion owner confirms the assertion. They must be a user of the DSP Toolkit Before Publication the owner must confirm that they are satisfied that the evidence provided supports the assertion the organisation is making.

Evidence Items Evidence items are either Mandatory or Not Mandatory Mandatory Evidence items should be completed first To meet the Standard all Mandatory Evidence items must be completed Each Evidence item has help text which explains what should be included in the response.

Guidance There is guidance available in the Help menu Guidance is split into general items and a big picture guide for each of the NDG Standards. Guidance for the many specific areas has been migrated from the existing toolkit such as Clinical Coding, Registration Authority etc., https://www.dsptoolkit.nhs.uk/Help Keep Checking as guidance is being updated regularly.

User Types Administrator Can view and confirm assertions, view/add/edit evidence, Allocate owners of assertions, Publish assessment Create/edit organisation profile, Create and edit users for own organisation. Member Can View assertions and view/add/edit evidence items Confirm Assertions where they are the ‘owner’ of the assertion, View organisation profile. Auditor Can view assertions and evidence (but not edit) view organisation profile (but not edit)

New requirements in DSPT Leaders and board members receive suitable data security and protection training. Organisations undertake process reviews to identify and improve processes which have caused breaches or near misses. NHS Organisations must act on CareCERT alerts and notifications. Organisations must complete a specific business continuity test for data security. Organisations must survey their software for unsupported systems. Organisations must ensure all networking components have had their default passwords changed. Large organisations must ensure their web applications are secure against top 10 vulnerabilities. Large organisations must undertake a penetration test annually. Large organisations must flag any suppliers with significant issues complying with the NDG standards to the board.

Clinical Coding Still included in the Data Security and Protection Toolkit Incorporated into NDG Standards 1 and 3 Training for Clinical Coders is included in the Specialist training (Assertion 3.4) Clinical coding audit is included in Data Quality Audit (Assertion 1.7) Guidance broadly unchanged from IGT V14.1

FAQs SIRI tool being updated to GDPR breach reporting tool and NIS directive for applicable organisations ready for May 2018. Current Toolkit will stay in read-only format. October baseline submission for large NHS organisations. Publication will be at summary level not detailed. Training requirement largely unchanged. Ability to choose “Secondary sectors” to be developed

Care Quality Commission (CQC) CQC well led inspections will include data security, but not fully agreed how this will work. Use information from DSPT and other intelligence from other sources. Data security includes more than cyber.

Recommended background reading National Data Guardians Report Government’s Response Data security standards Overall Guide