Free resources to help you complete the Data Security Protection Toolkit (DSPT).
DSPT Helpline 07434 571207
Digital Champion email@example.com
Documents/policies needed to complete to Standards Met
The policies and documents needed to complete the DSPT are listed below:
ICO Registration Number
All companies that handle data in any form must be registered with the ICO (Information Commisioners Office). It is an offence if you hold or process data and are not registered.
Registration is easy and is done online at https://ico.org.uk/ For most organisations there is a £40 fee but it can vary.
The ICO Registration number is a requirement of the DSP Toolkit and you cannot complete the Toolkit without it.
If you are registered but cannot find your ICO number you can search for it here https://ico.org.uk/esdwebpages/search
Staff Data Policy
Staff must be aware of the safe and secure use of data and their individual responsibilities pertaining to its use and access. This should be included in your standard staff procedures and manuals. All staff must be made aware of your policies and their responsibilities on induction and reviewed regularly. You can see an example policy here You will need to state that you have a policy and specify where it is held.
This is a list of all the data you hold, where it is held and whether or not this is shared with other organisations. The Data Register is made up of several different documents. It is entirely up to you if you maintain a single register or have them as separate documents. These are:
- Information Asset Register : This is a document including details of the type, location, software, owner, support and maintenance arrangements, quantity of data and how critical they are to the organisation. You will need to state that you have a policy and specify where it is held.
- Retention Register. A document stating how long data is held and when it is due for destruction/disposal
- List of Suppliers and any data sharing arrangements (if applicable) : You must be able to provide a list of your current suppliers with whom you share data or who process personal data of your service users or staff. It must also include the nature of the data processing and when the contract expires (eg outsourced payroll). If you do not have any such arrangements you can state not applicable in the Toolkit. If you do, you will need to state that you have a register an d specify where it is held.
Staff Bring Your Own Device Policy (BYOD) – new
If you allow staff to use their own phones/mobile devices you must have a policy outlining how this works and how it is managed. You do not need this policy if staff do not use their own devices
- A Training Needs Analysis of Data Protection/Security needs
- Systems Administers need to sign an agreement holding them to higher standards
- A document highlighting any unsupported software you use and the business need and risk (if you have unsupported software)
Make sure you have the information stated above to hand before you begin the assessment questions as this will save you a lot of time.
Completing the Assessment
The Toolkit comprises a list of 44 questions which when completed will take you to standards met. (DSPT Toolkit Completed)
If you only complete the mandatory questions (27 questions in total) You will not be able to publish at Approaching Standards unless you upload an action plan on how you plan to address the issues stopping you from publishing at Standards Met The action plan is provided as a downloadable spreadsheet from the DSPT assessment page and identifies the additional evidence required.
Once published the Toolkit results are normally valid for 12 months.
Toolkit Question Types:
The toolkit will ask you three types of questions:
1 A tick box to confirm your answer (essentially yes or no).
2 A text comment/statement
3 Upload a document, reference a document or weblink or enter text – You should always use the ‘enter text option; you do not have to upload documents unless you want to but you must specify in the text box where the document is located (eg on a computer in the care home).
All questions include an optional comments box – we recommend that you don’t make any comments.
- NHS Digital ODS Portal – Finding your ODS Code
- Registration (dsptoolkit.nhs.uk) – Registering for DSPT
- Log In (dsptoolkit.nhs.uk) – Logging into DSPT
- Data protection fee | ICO – ICO Registration/Renewal
- Template policies
- Cyber Aware Issue: Russian cyber activity in and around Ukraine
- https://www.digitalsocialcare.co.uk/resource/completing-the-dspt-q-and-a/ live link to a digital and social care page with frequently asked DSPT questions.
FREE DROP ON SESSIONS
NHSmail Drop In Sessions for Care Providers
Wednesday 3 August 2022
Are you a care provider who has a question about NHSmail? The NHSmail team are now running drop-in sessions every other Wednesday 2-2:30pm to help with any questions you have. There is no need to register, just click the link below to join the call.
Please note that these sessions are for staff working in social care provider organisations only. Commissioners and individuals who provide support to care providers around NHSmail are asked not to join these sessions.
Microsoft Teams meeting
Join on your computer or mobile app
Click here to join the meeting