All organisations that have access to NHS patient data and systems should update the DSP Toolkit (Data and Security Protection Toolkit) annually by 31 March to provide assurance that they are practicing good data security and that personal information is handled correctly.
The DSP Toolkit is an online self-assessment tool that allows dental practices to measure their performance against the National Data Guardian’s 10 security standards. It replaced the Information Governance Toolkit in 2018.
The challenge for dental practices is that it seems to have been designed for much larger organisations. But as primary NHS care facilities, they have to complete it pretty much in full.
Completing the DSP Toolkit can be time-consuming and frustrating.
At our recent webinar Demystifying the DSP Toolkit (video recording available to view On Demand), the majority of dental practices expected completion of the Toolkit to take them in excess of a day and a half!
There are 115 questions to complete and each requires careful thought.
Whilst the declarations made in the Toolkit provide assurance to the NHS, they’re not actually a guarantee of compliance with the GDPR / Data Protection Act 2018. So it’s an additional administration burden.
Where there’s doubt and confusion there’s a risk
The format of the self-assessment requires little more than a ticked ‘Yes’ and a statement describing the evidence that supports it.
On the face of it, that looks easy – but how do you know what the question is really looking for? Have you really got it covered? The questions are designed for information governance experts and without subject matter expertise it can be tricky to understand what the questions are really asking for.
Ultimately it’s a declaration of fitness and a contractual obligation. Simply ticking ‘Yes’ and moving on could have implications later.
Answering the Questions and providing the evidence requires careful thought
The lack of clarity means that there are 4 steps to answering a question:
- Interpreting the question – what does it mean?
- Identifying what constitutes evidence that it has been met?
- Understanding whether you have that evidence in place
- Establishing that the evidence you have meets the standard
It is little wonder that so many practices find the experience so painful.
It requires a ‘body of evidence’
Let’s look at 3 questions – exactly as they appear in the Toolkit. They are from 3 different sections:
Q1.5.1: Is there approved staff guidance on confidentiality and data protection issues:
Q6.1.1: A Data security and protection breach reporting system is in place
Q10.3.1: List of data security incidents – past or present – with current suppliers who handle personal information.
These questions relate to 3 separate standards but are all underpinned by the existence of (or information in) the following items of evidence:
- IG / data security and protection policy
- Confidentiality code of conduct (which include guidelines for collecting patient consent)
- Data transfer Standard Operating Procedure
- Data Processor Register
- Portable devices guidelines (for staff with portable devices)
- Data Security incident management Standard Operating Procedure
- Data Security incident register
- Access control and password management SOP
A Smarter Way of Working.
Many of the questions within the toolkit require the same or similar evidence. Most if not all evidence will exist if a practice has been diligent in:
- Putting together the ‘records of processing’ that are a requirement of the GDPR / DPA 2018
- Reviewing it annually
- Operating a culture of risk assessment / review and encouraging staff to report ‘near misses’
The challenge for many practices is that they had to do the work for GDPR compliance in a rush – which meant that it became a race to get privacy notices and policies in place for 25 May 2018. After that, we’ve all been busy with our day jobs.
In our DPO Support Service, we’ve broken down the process of gathering the ‘records of processing’, managing ongoing compliance and annual review down into 9 steps. When we’ve worked with clients 1-2-1 we’ve been able to complete them inside a day. The annual review is even shorter.
We’ve also already gone through the DSP Toolkit questions, so we provide our clients with a document that tells them how they can point to the right evidence if they’ve been through the 9-steps. That’s a big time-saving – it takes away the pain, it removes doubt / confusion and it reduces the risk.