Keeping patient data safe
The Data Security and Protection (DSP) Toolkit replaced the Information Governance (IG) Toolkit in April 2018. Produced by NHS Digital, it is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s (NDG) 10 data security standards. The changes being brought about by the DSP Toolkit were driven by changing regulations, namely EU GDPR, the changing threat landscape, and to move to a continuous improvement model. The NDG made it clear in their review…it’s all about Trust!
All organisations that have access to NHS patient data and systems must use the DSP Toolkit to provide assurance that they are practicing good data security and that personal information is handled correctly. The DSP Toolkit makes continual reference to the Information Commissioner’s Office (ICO) expectations for meeting the requirements of GDPR, and therefore organisations would be wise to follow their 7 self-assessment checklists, available freely on the ICO website.
The DSP Toolkit Leadership Obligations cover the checking of certification from any supplier of IT systems. Depending on the nature and criticality of the service provided, acceptable frameworks could be, at a minimum, the basic certifications but also ISO 27001:2013 certification.
Beyond a simple declaration to demonstrating sound
information security practices that protect all your data
Responses to the DSP Toolkit are uploaded into an online portal. The assurances offered in that response are, in effect, a promise…a warranty that the requirements have been met. Arguably, it could be a ‘click-and-forget’ exercise.
That is why stakeholders seek additional assurances that organisations can demonstrate good information security practices. They need to be confident they can trust your organisation’s Information Governance and in many cases will look for certifications to demonstrate you are living and breathing information security management in practice.
Cyber Essentials, whilst a basic entry-level security certification, is not enough to cover the mandatory requirements, nor is it an externally audited certification so does not offer the highest levels of trust.
A UKAS accredited ISO 27001:2013 certification, covering the relevant scope and coupled with a meaningful way to demonstrate GDPR compliance, will go a long way to meeting the requirements of the DSP Toolkit.
Holding ISO 27001 certification provides many exemptions to the DSP Toolkit but also demonstrates good security hygiene that protects all the organisation’s valuable information assets, not just patient data.
It provides the greatest level of trust to all your valuable stakeholders.
However, as NHS Digital identified, no one framework will cover all your data security and protection responsibilities. There is now also EU GDPR and Security of Network and Information Systems Regulations (NIS) which have increased the legislative data security and protection requirements on health and care organisations.
Demonstrating you can meet the requirements in these key areas will go a long way to addressing the DSP Toolkit
Demonstrating compliance across multiple frameworks can be complex, time-consuming and costly.
Streamlining your approach makes perfect sense and will cut out duplication and repetition,
and help you achieve your goals faster…
Great news! ISMS.online makes light work of multiple compliance work…
Link together the requirements of the DSP Toolkit, EU GDPR (the ICO 7 checklist approach), NIS Regulations, and ISO 27001 to eliminate duplication. ISMS.online provides one place to easily demonstrate compliance to them all. In fact, for GDPR we’ve already mapped relevant requirements to ISO 27001 for you. We’ve even given you a headstart with materials you can Adopt, Adapt or Add to speed up your preparation for both.
And, using our powerful tools to manage risk and other common work processes will reduce management time and ensure everything is captured in one secure, UKAS ISO 27001 certified, ‘always-on’ environment. We’ll simply add in your DSP Toolkit and NIS frameworks as required, and you are ready to streamline all your information security and data protection work in one place! You can even cover ISO 9001 and Cyber Essentials with ISMS.online.
Why duplicate these essential work processes?
Easily demonstrate you have it covered in ISMS.online
- Policy management and governance
- Risk management tools
- Information Asset Register
- Supply chain/vendor management
- Incident management
- Staff communications, training and engagement
- Corrective actions and improvements
- Ability to link to ISO 27001:2013 Policies & Annex A controls
- Internal and external audit management
- KPIs, management reviews and reporting
- Full collaboration functionality for team working
- Business continuity planning