DSP Toolkit
What is the DSP Toolkit?
The DSP Toolkit (Data Security and Protection Toolkit) replaced the previous Information Governance IG toolkit in April 2018.
The latest version of the DSP Toolkit is Version 6 and the deadline for annual submission of the 2023-2024 publication is the 30th June 2024.
Download the latest version below:
The latest update incorporates the requirements of Cyber Essentials and the Minimum Cyber Security Standard (MCSS) for relevant larger NHS organisations and incorporates key elements of the Network and Information Systems (NIS) Regulations 2018 Cyber Assessment Framework (CAF) for relevant larger NHS organisations as advised by the National Cyber Security Centre (NCSC).
The NHS DSP Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance and compliance against the National Data Guardian's ten data security standards.
All organisations that have access to NHS patient data and systems including NHS Trusts, primary care and social care providers and commercial third parties must complete the DSP Toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
The DSP Toolkit enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards. It has been updated and improved to be more user-friendly and accessible.
The DSP Toolkit will retain the general principle that organisations should demonstrate that they can be trusted with the confidentiality and security of personal information. It will also support the key requirements under the General Data Protection Regulation (GDPR), as identified in the NHS GDPR Checklist.
The standards, assertions and evidence items are all contained within the DSP Toolkit. The number of assertions and evidence items is dependent on your organisation type and circumstances of your data processing. There are 4 categories and each organisation type is assigned into a category. Category 1 which includes Mental Health Trusts are required to provide 116 evidence items. Category 2 which includes CCG’s are required to provide 106 evidence items. Category 3 which includes NHS Business Partners are required to provide 56 evidence items. Category 4 for GP’s are required to provide 42 evidence items. Category 1 and 2 organisations are required to complete the baseline assessment and Standards Not Met Action Plan.
Organisations which provide health services or connect to national systems will be required to complete the Toolkit annually.
National Data Guardian (NDG) Data Security Standards
The NHS DSP (Data Security and Protection) Toolkit requirements are based on the National Data Guardian's (NDG) Data Security Standards.
The 10 NDG data security standards are clustered under three leadership obligations to address people, process and technology issues and covers the following areas:
1. Handling, transmission and storage of confidential data
2. Staff accountability and responsibilities
3. Staff data security training and testing
4. Access controls
5. Annual process reviews
6. Cyber attack, identification, resistance and response
7. Continuity and incident response planning
8. Unsupported operating systems, applications or browsers
9. Implementation of a suitable strategy or framework to protect IT systems
10. Contractual accountability for IT suppliers
What DSP Toolkit Consultancy Services do Romano Security Consulting offer?
DSP Toolkit Compliance and Submission
End to end, consultancy advice, guidance and support through the application and submission process and implementation of the 10 NDG data security standards, for businesses of all shapes, sectors and sizes.
DSP Toolkit Managed Service
Annual submission consisting of a gap analysis against the current DSP toolkit requirements, development and management of a corrective action plan, assistance with the staff awareness training survey roll out, production of or updates to the required policy, procedural and evidence documentation, advice and guidance on control implementation and evidence selection and completion of the online DSP toolkit submission.
DSP Toolkit Implementation
If you need guidance and support through various stages of the implementation and compliance project e.g. submission, staff training, documentation, standard and framework implementation, business continuity and incident planning, project management.
NHSmail Connection
If you are looking to connect to NHSmail and need some help to complete the application and basic requirements.
DSP Toolkit Gap Analysis
If you need to measure your current level of compliance against the DSP Toolkit requirements.
DSP Toolkit Independent Assessment Audit
It is now a mandatory requirement for the following NHS organisations to complete an annual independent audit assessment as part of their submission:
NHS Trusts (Acute, Foundation, Ambulance and Mental Health)
Integrated Care Boards
Commissioning Support Units
DHSC Arm’s Length Bodies
IT Suppliers
Romano Security Consulting have the required expertise and experience to conduct an audit of the mandatory scope as set out in the DSPT Independent Assessment Guide, provide you with a comprehensive audit report, recommendations for improvement and submit an independent assessment on your behalf.
Our DSP Toolkit Independent Assurance Audit service helps organisations gain or maintain compliance by completing the required independent audit and assessing your organisation’s current internal control environment and current level of compliance against the DSP Toolkit category 1 requirements mandatory audit scope, reporting on the findings, providing recommendations for improvements and submitting the required external audit report.
The DSP Toolkit Independent Audit service consist of the following:
pre assessment review of the previous toolkit submission,
an audit of the mandatory audit scope against the current 23/24 DSP toolkit category 1 requirements,
production of the required audit report, including findings and recommendations for improvements and a risk and confidence evaluation,
post audit review meeting,
completion of the online DSP toolkit audit report submission,
follow up corrective action meetings.
