Understanding the NHS DSPT
The NHS DSPT is an online self-assessment that helps organisations assess their data security practices against the standards required by the NHS. It is mandatory for all organisations with access to NHS patient data and systems, including NHS trusts, hospitals, ICBs and their suppliers. By using the toolkit, organisations can demonstrate compliance with the National Data Guardian's 10 data security standards and that they are practising good data security and protection.
Changes in the DSPT for 2023/24
Version 6 of the NHS DSPT introduces significant changes regarding training and awareness. Previously, organisations had to train at least 95% of their staff using the national Data Security Awareness Level 1 e-learning or a local equivalent. However, in the 2023/24 version, the focus shifts to ensuring that all staff have an "appropriate understanding of information governance and cyber security".
This change allows organisations more flexibility in setting training requirements based on different staff roles and adopting various training methods. The new training requirements consist of three parts: training needs analysis, delivery of training and awareness activities, and evaluation.
Training Needs Analysis
A training needs analysis (TNA) is crucial in determining the level of cyber awareness training required for different staff groups. It involves analysing staff training needs to decide what constitutes an "appropriate understanding" of information governance and cyber security.
Simply put, a TNA helps identify the staff members who require additional security awareness training. For instance, the training requirements of an employee with direct access to patient information will differ from those of an employee without access to your organisation's network.
It's crucial to note that all staff members must have an "appropriate understanding of information governance and cybersecurity". Therefore, all employees will need to undergo some form of training. Once completed and approved, the TNA must be uploaded as part of the organisation's response to the NHS DSPT assessment.
Delivery of Training and Awareness Activities
Once the Training Needs Analysis has been completed, organisations must deliver training and awareness that match the needs outlined in the TNA.
For instance, you should provide training tailored to maintaining a secure working environment, especially if your employees are working from remote locations. In addition, individuals responsible for handling patient information will require specialised training in GDPR and data security.
The 2023/24 guidance does not specify how this training should be delivered, but it does mention several training approaches, including in-house face-to-face training, e-learning, external conferences or courses, and relevant qualifications. The new guidance also emphasises the importance of implementing awareness training activities, such as regular emails, newsletters, and events, to reinforce formal training.
Naq's platform not only automates the NHS DSPT process but also provides access to comprehensive cyber security and information governance training that surpasses the new NHS DSPT requirements for one low fixed monthly cost. Find out why hundreds of NHS suppliers trust Naq to simplify their DSPT compliance.
Version 6 of the NHS DSPT will give more importance to training evaluation. Evaluating the training activities implemented across your organisation will help you determine whether the training methods suit your staff and, most importantly, whether the training needs outlined in the TNA have been met.
Evaluation techniques may include post-training questionnaires, surveys, focus groups, interviews, and tests. For example, all Naq customers receive regular phishing tests to assess whether they are following the learning outcomes of our phishing training. By measuring pass rates, we can quickly determine whether additional training is needed for any of our customers.
Evidence of evaluation will need to be submitted as part of the new NHS DSPT assessment.
Leadership & Cultivating a Positive Cyber Security Culture
In addition to training and awareness, Version 6 of the NHS DSPT emphasises cultivating a positive culture surrounding information governance and cyber security. This culture should start with the organisation's senior leaders, who should lead by example, actively engaging in discussions and supporting improvement initiatives to demonstrate your organisation's commitment to information governance and cyber security.
Responding to Concerns
Continuing on the topic of culture, the sixth version of the NHS DSPT emphasises that organisations should respond transparently and consistently to security concerns raised by staff or incidents that occur. Incidents should not be viewed solely as negative but rather as opportunities for improvement.
Adopting an approach where honest mistakes are not punished but used to address underlying issues should lead to an environment where staff feel comfortable reporting incidents and concerns. This approach encourages transparency, accountability, and improved security as staff do not hesitate to report incidents.
Continuous Compliance with the NHS DSPT
Ensuring compliance with the NHS DSPT is a continuous process that requires organisations to stay updated with the latest NHS DSPT changes and any developments in security threats and data privacy legislation.
Naq's platform guarantees continuous compliance with the NHS DSPT and other healthcare compliance frameworks such as GDPR, Cyber Essentials, NHS DTAC and DCB0129. By combining an automated platform with unlimited expert support, Naq reduces the time required to meet the NHS standard by 80% while providing NHS suppliers with everything they need to confidently fulfil their supplier obligations, all for one fixed monthly fee.
Naq's platform also seamlessly integrates the new changes in version 6 of the NHS DSPT, providing organisations with continuous compliance and peace of mind.
To learn more about how Naq can help your organisation achieve or maintain continuous compliance with the NHS DSPT, please click here to get in touch.