Feature Content, NHS trust

Feature: overcoming the implementation challenges of the data security and protection toolkit

Content by Naq.

With the upcoming deadline for this year’s Data Security and Protection Toolkit (DSPT) on the 30 June, many NHS providers are now facing a three-month window to ensure their compliance with Version 6 of this crucial NHS requirement. 

The NHS Data Security and Protection Toolkit (DSPT) is a self-assessment tool designed to assess an organisation’s compliance with the National Data Guardian’s 10 data security standards, a crucial requirement for all NHS suppliers and health and social care organisations. With its 40 assertions, the DSPT thoroughly examines an organisation’s data security practices and its ability to handle sensitive health data.

While meeting the DSPT requirements is obligatory for NHS suppliers, it also presents a strategic opportunity for organisations to elevate their data security practices and establish themselves as reliable partners within the healthcare ecosystem. However, implementing the DSPT can pose significant challenges, particularly for small and medium-sized businesses (SMEs)which often lack the adequate resources, internal expertise, and experience in implementing the framework.

In this article, we’ll explore common DSPT implementation challenges and provide practical strategies and tips to navigate them effectively. 

Understanding the DSPT

The foundation of the Data Security and Protection Toolkit (DSPT) lies in the National Data Guardian’s 10 data security standards, which emerged in 2016 following a comprehensive review of data security, consent, and opt-outs within the health and social care system. Aligned with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the NHS Constitution, these standards form the bedrock of data security practices within the UK healthcare sector. Additionally, the DSPT requires organisations to comply with the Cyber Essentials scheme. This government-backed certification indicates that an organisation has implemented the basic measures necessary to defend itself against the most common cyber attacks.

The DSPT serves a dual purpose: firstly, to assist organisations in enhancing their data security practices, and secondly, to assure both the public and regulators that both the NHS and its suppliers are appropriately safeguarding health and personal data. It is also a requirement for organisations seeking access to essential NHS interoperability systems and services, such as the NHS Spine, the NHS e-Referral Service, and the NHS App.

The DSPT isn’t a one-time task; it’s an ongoing process that serves as both a strength and a challenge. Annually refreshed to mirror shifts in legislation, guidance, and best practices, the current version, version 6, rolled out in August 2023 and remains effective until June 2024. Version 6 introduces several new requirements and changes, including the requirement to complete a Data Protection Impact Assessment (DPIA) for all processing activities involving personal data and the need to provide evidence of staff training in data security and protection.

Common Challenges in Implementing the Data Security & Protection Toolkit:

Implementing the DSPT can pose a daunting challenge for many organisations, notably smaller health and social care organisations, newcomers to the healthcare sector, and digital health innovators grappling with the regulatory requirements necessary to integrate their solutions into the NHS. Limited resources and expertise in data security and protection further compound this challenge. Some common DSPT implementation hurdles include:

Resource constraints: Completing the DSPT can be time-consuming and resource-intensive, requiring organisations to assess their current data security and protection practices, identify gaps and risks, implement improvements, and provide evidence of compliance. Organisations may need to allocate sufficient staff, budget, and technology to support the implementation of the DSPT, which can be challenging for SMEs and commercial innovators who will most certainly have competing priorities and limited capacity. 

Additionally, as requirements are updated annually, organisations must continuously monitor changes in security and data protection to maintain compliance and adapt to any new demands introduced by the updated toolkit.

Complexity of requirements: The DSPT covers a wide range of data security and protection topics, such as governance, policies, procedures, contracts, consent, data sharing, data quality, data retention, data disposal, data breaches, cyber security, encryption, access control, audit, and incident management. The DSPT also has different levels of compliance, such as mandatory, standards met, standards exceeded, and not applicable, depending on the type and size of the organisation and the nature and scope of the data processing activities. Understanding and applying the DSPT requirements can be complex and confusing for organisations with insufficient knowledge and experience in data security and protection.

Implementing GDPR-compliant processes: The DSPT is not a substitute for complying with the GDPR and the Data Protection Act 2018 but a means of demonstrating this compliance. While an extensive framework, the DSPT doesn’t provide a comprehensive list of all data security and protection obligations required for GDPR compliance, a legal requirement for all UK organisations. Instead, it sets forth a minimum set of standards and expectations. Organisations, especially those handling health data, will still need to implement GDPR-compliant processes and practices, such as conducting DPIAs, obtaining valid consent, providing transparent information, respecting data subject rights, implementing data minimisation and privacy by design.

Gaining Cyber Essentials Certification: The DSPT requires organisations to achieve the Cyber Essentials certification, a government-backed scheme verifying that an organisation has taken basic steps to protect itself from common cyber attacks. The Cyber Essentials certification covers five technical controls: secure configuration, boundary firewalls, access control, malware protection, and patch management. Organisations can attain Cyber Essentials Certification through either a self-assessment questionnaire or a verified assessment by an accredited body. 

Training, expense and awareness:  The DSPT now requires organisations to provide regular and relevant training to all staff members with access to or handling personal data. One of the key aims of the recent DSPT update is to foster a robust cybersecurity culture. This update requires organisations to raise awareness among staff, patients, and partners about the importance of data security and protection through regular training, knowledge sharing, and events. However, meeting this requirement can be challenging, especially as cybersecurity training tends to be costly, and maintaining a culture of cybersecurity often takes a backseat amid the myriad other tasks that businesses must address.

Strategies for Overcoming DSPT Challenges

Conduct a Comprehensive Gap Analysis: One of the initial steps organisations should take when beginning their DSPT compliance journey is to download the DSPT guidance and conduct a thorough gap analysis of how their existing organisational security and data protection practices measure up against the standards outlined in the DSPT framework. Since most DSPT assertions will require the submission of evidence to demonstrate compliance, organisations must carefully document their existing policies, processes, evidence of training, and technical security controls ready for submission.

Plan and prioritise: Once gaps in compliance have been identified, organisations should create a focused action plan, including which security controls will be implemented, the assertions to which these controls will link, and what evidence must be collected to demonstrate adherence along clear deadlines. 

Ideally, organisations should prioritise these implementation actions based on their associated risks; for example, organisations should remove any unauthorised or unnecessary access from systems that hold sensitive data before moving on to evidence items such as “Your organisation understands the health and care services it provides”. If an organisation processes health data, it must ensure that any third parties or suppliers involved in handling this data also comply with the Data Security and Protection Toolkit. This process ensures that all entities processing health data adhere to the standards required to safeguard and protect sensitive information.

Seek guidance and support: The DSPT can be a complex and confusing tool, especially for organisations new to the health and social care sector or with limited knowledge and experience in data security and protection. Therefore, organisations should seek guidance and support from various sources, such as the DSPT website, DSPT webinars and workshops, the NHS Digital Data Security Centre, the Information Commissioner’s Office (ICO), the National Cyber Security Centre (NCSC), and other relevant organisations and experts. These sources can provide valuable information, advice, and assistance to help organisations understand and apply the DSPT requirements, identify and address gaps and risks, and implement improvements and best practices.

Achieve GDPR Compliance: While the Data Security and Protection Toolkit (DSPT) sets standards for data security and protection, it’s essential to understand that it doesn’t replace GDPR compliance. Organisations aiming to meet the DSPT standard must provide evidence of compliance with all seven GDPR principles, including transparency, integrity, confidentiality, data minimisation, and accuracy. Rather than solely focusing on meeting GDPR-related assertions within the DSPT, organisations should strive for full compliance with the GDPR, a legal obligation for all UK entities, particularly those handling sensitive health data subject to additional processing requirements. Ensuring GDPR compliance simplifies meeting the DSPT and streamlines the creation of Data Protection Impact Assessments, crucial documents required by the DSPT and other healthcare frameworks like the Digital Technology Assessment Criteria.

Initiate staff training early: Version 6 of the NHS DSPT, valid until the 30th of June 2024, now requires organisations to ensure all staff members receive appropriate and regular cyber security and data protection training, aiming to foster a robust culture of cyber security and data protection. To meet this assertion, organisations must provide evidence of this training and a completed training needs analysis outlining how the organisation has determined the specific training needs of each individual. Organisations should start working on this requirement as soon as possible, considering that organisations new to DSPT often encounter challenges in meeting this requirement due to the effort involved in sourcing suitable training, associated costs, and ensuring staff compliance with the training.

Continuous Improvement: Maintaining compliance with the Data Security and Protection Toolkit (DSPT) is an ongoing journey, not a one-time task. The DSPT undergoes annual updates to reflect changes in cyber security and data protection legislation, requiring organisations to continuously evaluate their practices to stay ahead of these changes. 

Additionally, impending legislative changes, like the new Data Protection and Digital Information Bill, will likely introduce new assertions to the DSPT, prompting organisations to update their data protection practices to ensure alignment with legislative requirements.

To keep up with these evolving requirements, organisations should implement a regular monitoring and auditing schedule, conduct regular assessments to identify any compliance gaps and take prompt action to resolve them. Compliance with the DSPT is not just about ticking a box; it’s about ensuring organisations handling NHS and health data have the appropriate controls to keep this information safe and secure.

Furthermore, the NHS plans to transition cyber elements from the DSPT to the Cyber Assessment Framework (CAF). Developed by the National Cyber Security Centre (NCSC), the CAF is a mechanism for assuring the security practices of organisations which form part of the UK’s Critical National Infrastructure (CNI), including NHS suppliers. While not expected to come into force until 2025, at the earliest, organisations are advised to start preparing for this transition by aligning their data security and protection policies and practices with the five pillars of the CAF:

  1. Focus on the greatest risks and harms.
  2. Defend as one.
  3. People and Culture
  4. Build security for the future
  5. Exemplary response and recovery

In conclusion, implementing the NHS Data Security and Protection Toolkit (DSPT) presents both challenges and opportunities for healthcare organisations. While ensuring compliance with the DSPT standards can be daunting, especially for organisations implementing the toolkit for the first time, it is an essential framework for safeguarding sensitive health data and maintaining trust with patients and regulators. As the healthcare sector increasingly becomes a target for cyber threats, organisations aspiring to become NHS suppliers should view DSPT compliance not only as a regulatory requirement but as a fundamental part of providing quality healthcare services. By prioritising data security and protection, organisations can uphold patient trust, mitigate risks, and contribute to a safer and more resilient healthcare environment.

About Naq

Hundreds of NHS suppliers and organisations are using Naq to streamline their compliance with the frameworks they need to operate, including the Data Security and Protection Toolkit, GDPR, Cyber Essentials, NHS DTAC, and more. By automating over 80% of compliance tasks, Naq’s platform saves healthcare organisations 160 hours and thousands in compliance fees every year. 

Learn more about Naq’s compliance solution here, or follow us on LinkedIn for actionable compliance advice.