What is the NHS Data Security & Protection Toolkit, and how to comply?

The NHS Data Security Protection Toolkit (DSPT) is a mandatory security measure for organisations processing NHS data. Find out what it is, why you must comply, and how Naq can help.

What is the NHS Data Security & Protection Toolkit, and how to comply?

The NHS Digital Security & Protection Toolkit:

The NHS Digital Security & Protection Toolkit (DSPT) is a set of security requirements that companies must meet to supply goods and services to the National Health Service (NHS). The DSPT, sometimes referred to as the “NHS IG toolkit”, was created to ensure that suppliers meet a certain level of security when providing products and services to the NHS, ensuring the safety and protection of sensitive patient information. Introduced in 2018, this formalised framework ensures that the NHS can continue to collaborate easily with smaller, agile, innovative suppliers without compromising on its security responsibilities. 

With over 80,000 suppliers and an increase in the number of digital systems and suppliers now holding sensitive information, it became crucial for the NHS to have a set of guidelines in place to protect patient data. Any organisation handling patient information, from MedTech start-ups to IT consultancies and care agencies, must comply with the requirements set out in the NHS DSPT. 

It’s important to note that as part of achieving the requirements set out by the NHS DSPT, organisations will also need to have met and provide evidence of compliance with the UK-GDPR and appoint a data protection officer. 

NHS DPST or IG Toolkit? 

You’ll be pleased to know that the DSPT and IG Toolkit do not refer to two different security requirements. The NHS Data Security & Protection Toolkit officially replaced the NHS Information Governance Toolkit upon its introduction in April 2018. 

Who needs to comply?

All companies that wish to supply goods and services to the NHS must meet compliance with the NHS Digital Security & Protection Toolkit; this includes suppliers of medical equipment, pharmaceuticals, digital solutions and other goods and services that the NHS uses. In addition to demonstrating they meet DSPT requirements, overseas suppliers must also show evidence of compliance with the UK-GDPR. 

Companies need to understand that compliance with the DSPT is an ongoing requirement, not a one-time process. The NHS regularly monitors suppliers for compliance and may conduct audits to ensure that suppliers continue to meet the requirements of the DSPT. 

How to comply with the NHS DSPT?

While the steps required to comply with the NHS DSPT will differ depending on the nature of the goods and services a supplier provides, we have outlined the Data Security Standards which most organisations will be measured against when looking to meet compliance with the DSP Toolkit.  

All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form.”

Organisations looking to meet compliance with the NHS DSPT must ensure that personal confidential data is handled securely, from collection through to processing and eventual storage. To achieve this data security standard, organisations must be registered with the ICO, keep an up-to-date information register and create a data privacy notice, among several other measures.

As personal confidential data is classed as protected under the UK-GDPR, organisations looking to meet this standard must also provide evidence of compliance with this piece of data legislation. 

"All staff understand their security responsibilities, including their obligation to handle information responsibly and their accountability for deliberate or avoidable breaches."

Your organisation must ensure that staff are aware of their responsibilities regarding securing confidential patient data. Organisations must provide comprehensive cyber security training to all team members likely to access patient information and ensure that data protection and cyber security clauses are included within staff contracts. Handling data securely must be baked into your organisation’s working culture rather than treated as a yearly training exercise.

Naq helps NHS suppliers achieve, manage and maintain their compliance with NHS DSPT, UK-GDPR and Cyber Essentials through one easy-to-use platform and unrivalled expert support. Click here to find out how. 

"Personal confidential data is only accessible to staff who need it for their current role, and access is removed as soon as it is no longer required."

User privileges must be constantly monitored to ensure users only have access to the data they need to carry out their work effectively. For sensitive patient information, “paper trails” must be maintained, justifying why a specific staff member needs access to said information. This principle of “least privilege” is also outlined under the UK-GDPR. 

"Processes are reviewed annually to identify and improve processes that have caused breaches or near misses."

Organisations must have an incident response plan outlining what should be done and who should be contacted in case of a breach or security attack. As part of this plan, security incidents and potential breaches must be recorded and reviewed to continuously include new threats and vulnerabilities. 

Organisations need to discuss with their staff whether any current systems or processes are forcing them to take shortcuts regarding cyber security and address these as soon as possible. 

 "All staff are trained to report an incident. Sitting on an incident, rather than reporting it promptly, faces harsh sanctions."

As highlighted in our last point, organisations looking to comply with the NHS DSPT must have an incident response plan in place in case of a security attack or data breach. In addition to frequently testing and reviewing this plan, organisations must ensure that staff know what to do in case of an attack, including who to notify and, if applicable, which systems to shut down. 

This security standard also calls for implementing company-wide antivirus and firewall solutions, end-point system protection and effective vulnerability management. 

"No unsupported operating systems, software or internet browsers are used within the IT estate."

Unsupported software or platforms no longer receiving security updates are often used as an entry point for cyber criminals as they know vulnerabilities are unlikely to be patched in the future. 

The NHS DSPT requires organisations handling sensitive patient information to ensure their operational systems are still supported; this includes enabling automatic updates where possible and continuously taking stock of all the devices, systems and platforms used across the company. A good asset management solution, like the device and asset tracker included within the Naq platform, will keep track of the devices, platforms and systems used within your organisation, giving you a complete view of IT “estate”. 

It’s important to note that this list is not exhaustive; suppliers whose services include the provision of a platform will have additional security and quality measures to meet. Those providing services to be used by children will also need to abide by legislation such as The Children’s Code. It should, however, highlight some of the primary measures organisations must have in place when considering becoming an NHS supplier and undertaking the DSPT assessment. 

For detailed guidance on how your organisation can start winning NHS contracts by taking care of its DSPT compliance, click here to get in touch with our team.