Information and Resources - Hampshire Care Association

Free resources to help you complete the Data Security Protection Toolkit (DSPT).

DSPT Helpline 07434 571207

Digital Champion

Documents/policies needed to complete to Standards Met

The 10 Data Security Standards

The policies and documents needed to complete the DSPT are listed below:

ICO Registration Number

All companies that handle data in any form must be registered with the ICO (Information Commisioners Office).  It is an offence if you hold or process data and are not registered.

Registration is easy and is done online at For most organisations there is a £40 fee but it can vary.

The ICO Registration number is a requirement of the DSP Toolkit and you cannot complete the Toolkit without it.

If you are registered but cannot find your ICO number you can search for it here

Data Privacy Policy

Your data privacy policy is an overarching document which sets out how you collect personal data, what it is used for and how long it is retained. It must also stipulate how individuals can view or challenge the use of this data.  This policy must be easily accessible and produced on demand.  It may consist of several documents or a single document. Most organisations publish this on their website (often as a permanent link in the page  footer) it may also be included in your service user contracts.  There are many standard templates available that are GDPR compliant.

You can see the associations privacy policy at    You will need to state that you have a policy and specify where it is held.

Staff Data Policy

Staff must be aware of the safe and secure use of data and their individual responsibilities pertaining to its use and access.  This should be included in your standard staff procedures and manuals. All staff must be made aware of your policies and their responsibilities on induction and reviewed regularly. You can see an example policy here   You will need to state that you have a policy and specify where it is held.

Data Register

This is a list of all the data you hold, where it is held and whether or not this is shared with other organisations. The Data Register is made up of several different documents. It is entirely up to you if you maintain a single register or have them as separate documents. These are:

  • Information Asset Register : This is a document including details of the type, location, software, owner, support and maintenance arrangements, quantity of data and how critical they are to the organisation. You will need to state that you have a policy and specify where it is held.
  • Retention Register. A document stating how long data is held and when it is due for destruction/disposal
  • List of Suppliers and any data sharing arrangements (if applicable) : You must be able to provide a list of your current suppliers with whom you share data or who process personal data of your service users or staff. It must also include the nature of the data processing and when the contract expires (eg outsourced payroll). If you do not have any such arrangements you can state not applicable in the Toolkit.  If you do, you will need to state that you have a register an d specify where it is held.

Staff Bring Your Own Device Policy (BYOD) – new

If you allow staff to use their own phones/mobile devices you must have a policy outlining how this works and how it is managed. You do not need this policy if staff do not use their own devices

  • A Training Needs Analysis of Data Protection/Security needs
  • Systems Administers need to sign an agreement holding them to higher standards
  • A document highlighting any unsupported software you use and the business need and risk (if you have unsupported software)

Make sure you have the information stated above to hand before you begin the assessment questions as this will save you a lot of time.

Completing the Assessment

The Toolkit comprises a list of 44 questions which when completed will take you to standards met. (DSPT Toolkit Completed)

If you only complete the mandatory questions (27 questions in total) You will not be able to publish at Approaching Standards unless you upload an action plan on how you plan to address the issues stopping you from publishing at Standards Met The action plan is provided as a downloadable spreadsheet from the DSPT assessment page and identifies the additional evidence required.

Once published the Toolkit results are normally valid for 12 months. 

Toolkit Question Types:

The toolkit will ask you three types of questions:

1 A tick box to confirm your answer (essentially yes or no).

2 A text comment/statement

3 Upload a document, reference a document or weblink or enter text – You should always use the ‘enter text option; you do not have to upload documents unless you want to but you must specify in the text box where the document is located (eg on a computer in the care home).
All questions include an optional comments box – we recommend that you don’t make any comments.

Free resources

Skills for Care Masterclass: Using Instagram to boost your recruitment and retention
Tuesday 3 May, 10 – 11:30
Are you looking for creative ways to attract and retain high-quality candidates for your social care organisation? Would you like to know the latest best practice in social media marketing? Join Skills for Care for a series of social media masterclasses with digital marketing expert Paul Ince from LikeMind Media.
NHSmail drop in session for care providers
Wednesday 4 May, 11 – 12:00Wednesday 11 May, 11 – 12:00
Are you a care provider who has a question about NHSmail? The NHSmail team are now running weekly drop-in sessions to help with any questions you have.Please note that these sessions are for staff working in social care provider organisations only. Commissioners and individuals who provide support to care providers are asked not to join these sessions.
Using the Data Security and Protection Toolkit for the first time
Thursday 12 May, 15:00 – 16:00
This webinar is for care providers who have never used the DSPT before. It is part of a monthly series of sessions on the DSPT. It will cover how to:Register for the DSPT – including how to register if you have multiple services and sitesComplete to Approaching Standards and Standards MetPublish your DSPT standardAccess free, official support from the Better Security, Better Care programme.
Review and republish your Data Security and Protection Toolkit
riday 13 May, 14:00 – 15:00
This webinar is for care providers who have published before, and are reviewing and republishing their DSPT. It is part of a monthly series of events on the DSPT. It will cover how to:Login to your DSPT accountReview your DSPT – including what is different if you were previously published at Entry Level or Approaching StandardsComplete to at least Standards MetPublish your DSPT standardAccess free, official support from the Better Security, Better Care programme.
DSPT for Social Care: What LA and NHS Commissioners & Quality Assurance Leads need to know
Tuesday 17 May, 15:00 – 16:00
Presenters include Mark Williams, Local Government Association, Michelle Corrigan, Better Security, Better Care and representatives from local authorities and NHS commissioners.Care providers are using more technology than ever before. Data about people using care services, staff, and partner organisations are being routinely stored and frequently shared. But how can commissioners and quality assurance leads check that social care providers are following good data protection and cyber security practice? We will explore:What is the DSPT for social care and what are the benefitsHow to check a care providers’ DSPT status and what it meansHow and why local authorities and NHS bodies are encouraging the use of the DSPTHow you can get involved
Contribute to shaping the future of interoperabilitySocial Care Focus Group session: 
Tuesday 24 May, 10:00 – 11:00
The Faculty of Clinical Informatics (FCI) has been commissioned by NHS England/Improvement Transformation Directorate to lead a consultation on their draft Standards and Interoperability Strategy. The proposed strategy has been drafted in collaboration with stakeholders from across the health and social care ecosystem.Over the coming weeks, the NHS Transformation Directorate and FCI are looking to gather feedback on the draft strategy from a wide range of voices who have an interest in digital health, including developers, clinicians, care professionals, commissioners, patients and the public.These focus groups aim to ensure the strategy is robust, ambitious and attainable. You can find out more about this work on the FCI website.