31st March 2020 marks the deadline for 2019/20 NHS Data Security and Protection Toolkit (DSPT) submissions and for many organisations, completing the submission and achieving a ‘Standards Met’ status can be a daunting prospect. Depending on the type of your organisation, you may have to complete up to 116 independent assertions, conduct an independent audit of your submission and complete satisfactory penetration testing and vulnerability scans. 116 is a big number, so it sounds like a big job. But it doesn’t need to be.
Fortunately, there are steps you can take to reduce that burden and PGI can work with you to help identify what additional accreditations can aid your DSPT submission and add real value to the information governance and security of your organisation.
Through a DSPT Gap Analysis PGI can look at your existing submission, offer guidance for any outstanding assertions and ensure that you are not only providing sufficient evidence for your DSPT submission, but also that you have selected the company type most relevant to your organisation—this will ensure you’re not over or under scoping.
In some cases, a Cyber Essentials Plus or ISO 27001 accreditation may be an appropriate means to reduce the overall burden of compliance to your organisation and PGI can provide a plan to implement these. We will take into account your existing policies, processes and procedures, allowing you to maximise the impact of compliance best practice which, in many cases, your organisation may already achieve.
To make it easy to work out how your organisation can simplify your submission, we’ve created an infographic that illustrates what is required to achieve a ‘Standards Met’ score within the DSPT, as well as the steps that may be appropriate to enhance your submission.
Click the image to download a PDF version.
What is the NHS Data Security and Protection Toolkit?
The NHS Data Security and Protection is an online self-assessment tool for all organisations that have access to NHS patient data and systems. It allows these organisations to measure their performance against the National Data Guardian’s 10 data security standards. They are required to use this toolkit to provide assurance that they are practicing good data security and that personal information is handled correctly.
All organisations that are required to comply with the DSPT must resubmit annually by 31 March with a self-assessed grade—which is then reviewed and confirmed by the NHS:
- ‘Standards not met’ – the organisation has not completed all mandatory assertions
- ‘Standards met’ – the organisation has completed all mandatory assertions
- ‘Standards exceeded’ – the organisation has completed all mandatory assertions and at least one of the non-mandatory assertions
A status of ‘standards not met’ is undesirable as it could lead to an organisation being denied access to information sharing tools, such as NHSmail.
Our Information Assurance team are experienced in undertaking and auditing a wide range of regulatory compliance frameworks, including ISO 27001, PCI DSS and GDPR. In particular, the team can assist you in reviewing your DSPT submission, acting as your independent auditor.
We can also provide assistance in developing the submission; we offer a wide range of services to help complete your submission, including gap analysis, penetration testing, GDPR compliance support, Cyber Essentials Plus certification and/or ISO 27001 implementation. We will work with you to determine what you need, so you’re only spending what you must.
If you would like to discuss how we can help you meet your requirements, please contact us for a discussion: Call on +44 845 600 4403 or email us via firstname.lastname@example.org