Care Providers: are you using the Data Security and Protection (DSP) Toolkit?
In April 2018 the new Data Security and Protection (DSP) Toolkit replaced the Information Governance (IG) Toolkit. The DSP Toolkit is a set of over 150 questions used to evidence the level of digital technology use, cyber security and effectiveness of data protection procedures in organisations (find out more). Social care organisations operating under the NHS Standard Contract are contractually required to use this toolkit to at least ‘entry level’ to provide assurance that they are practising good data security and that personal information is handled correctly. Do you need to complete the DSP Toolkit?
Social care providers not providing care under an NHS contract are under no obligation to comply with the DSP Toolkit but it is recommended that they do in any event. Why? Because it is not just a box-ticking exercise in demonstrating good information governance; it is likely to become an essential part of the intelligence gathered for Care Quality Commission (CQC) inspections, which should cause all providers to take notice.
The DSP Toolkit gathers information around three key factors in data security:
- Staff awareness
- Process
- Technology
The Toolkit will help providers to audit their systems and practices annually against the following important standards and regulations:
CQC Key Lines of Enquiry (KLOEs)
From 1 November 2017, CQC introduced a new KLOE under the Governance and Management section of the well-led inspection area covering data security. CQC have been piloting the use of NHS Digital intelligence from the DSP Toolkit, on-site assessments and network monitoring to support them in inspections. Unless a provider already has their own robust framework for data security monitoring and standards, adopting the Toolkit may be a key element to support fulfilment of KLOE W2.8. Use of the Toolkit should be considered strong evidence that this KLOE is being met.
General Data Protection Regulations (GDPR)
Providers who can evidence compliance with the DSP Toolkit will be able to demonstrate to the Information Commissioner’s Office (ICO) that they are also compliant with the key elements of GDPR when dealing with medical records and other sensitive patient and service user data. This may fall within the scope of special category data for the purposes of the legislation.
10 Data Security Standards
Some providers may not have heard of the National Data Guardian. According to the gov.uk website, “The National Data Guardian’s role is to help ensure that the public can trust that health and care information is securely safeguarded and used appropriately.” The National Data Guardian has created ten standards which explain how to protect confidential personal data and handle it securely in social care settings. The DSP Toolkit can be used to measure the processes a provider employs against these standards and uncover any areas of weakness.
There are other potential opportunities for providers to gain access to resources and other collaborative tools for data sharing if they evidence the appropriate data security standards through the Toolkit assessment. You can find out more about the DSP Toolkit including FAQs and introductory guides for social care providers here.