Completing the DSPT - I'm new to this!

Before you begin the Toolkit you must register to access it.

To do this go to:



www.dsptoolkit.nhs.uk/account/register

You will need:

Your email address

A valid registration (ODS) Code

An ODS Code is just a unique code that the NHS issues to all care providers.

You more than likely already have one but are not aware of it.  You can look up your code by clicking the button below

If you can't find your ODS code or you know that you don't have one, contact the NHS's Exeter Helpdesk  ssd.nationalservicedesk@nhs.net ; 0300 303 5035 who will be able to help you.

Need more help?

Registering to use the Toolkit is very straightforward but you can see step by step instructions by clicking the button below

Do I legally need a Caldicott Guardian?

There has been a lot of confusion as to whether Adult Social Care providers are legally required to appoint a Caldicott Guardian.

The UK Caldicott Guardian Council issued advice stating that Social Care organisations with public funding need to 'have regard' for the National Data Guardian guidance. It was however worded in such a way as to imply this was mandatory - it is not.

It is ultimately up to you whether an appointment would be possible and useful. We recommend that if your organisation is of sufficient size that you are legally required to have a Data Protection Officer then you should seriously consider appointing a Caldicott Guardian.

Further information can be found at the UK Caldicott Guardianship Council website

If you have appointed a Caldicott Guardian then DIgital Care Hub have established a learning network to support you

Data Protection in General (the basics)

The toolkit is an assessment of your data protection policies and procedures.   

Further down this page we've listed the basic items that you will need in place to successfully complete the toolkit.  These have been divided into the four sections comprise the toolkit:

• Staffing and Roles
• Policies and Procedures
• Data Security
• IT Systems and devices

Each section contains links to more information and examples of relevent policies and procedures

We also run a weekly webinar on Data Protection in general which we recommend attending before you start your toolkit submission

What Questions are on the Toolkit?

A full list of questions in the toolkit can be found here

If you need any help we suggest attending one of our webinars



DSPT Checklist

Before you start, download checklists to help you compile all the necessary policies and documents you need



We recommend attending our 1 hour Data Protection in General webinar before you start completing the toolkit, or watch the recording of it below

This webinar is aimed at Care Providers with no previous experience of the DSPT but is also a good refresher if you've done it before.

We will give you an overview of the policies and procedures that you will need to successfully complete it.

If you want to attend this webinar in person, please visit our webinars page for available dates

The Toolkit is a list of 43 questions. Some are marked mandatory. The questions marked Mandatory are the minimum you need to complete to publish at Approaching Standards (26 questions). You need to complete all 43 questions to publish at Standards Met

You cannot publish at Approaching Standards unless you upload an action plan on how you plan to address the issues stopping you from publishing at Standards Met, for this reason (and it's not that much more work) we recommend you continue to Standards Met.

To complete to Standards Met you will need to complete a further 17 questions

Toolkit Question Types

The toolkit will ask you three types of questions (click on the link to see an example):

1 A tick box to confirm your answer (essentially yes or no).

2 A text comment/statement

3 Upload a document, reference a document or weblink or enter text . You should always use the 'enter text' option, you do not have to upload documents unless you want to but you must specify in the text box where the document is located (eg on a computer in the care home on on a website).

All questions include an optional comments box - we recommend that you don't make any comments unless you need to answer 'not applicable'

This first section will ask you who is responsible within your organisation, how you conduct data training and that your contracts of employment cover data protection

This sections contains 7 questions

We have also included a short video which takes you through each question in depth

you will need:

A Training needs analysis of data protection/security needs

A training needs analysis is a process which helps identify the data security and protection, and cyber security, training and development needs across your organisation.



Training staff annually in data security and protection and cyber security in the last twelve months

Question 3.2.1 (which is a mandatory question) is a requirement for at least 95% of staff, directors, trustees and volunteers in your organisation to have completed training on data security and protection, and cyber security, in the last twelve months.  To help you with this Digital Care Hub have produced a FREE ELearning Module with can be accessed by clicking the button below

1 Completing the DSPT: Staffing and Roles (7:m32s)

We've produced a short video about what information you need which you can see below

This next section concentrates on the various policies and proscudes you need to successfully complete the toolkit

This sections contains 12 questions

We have also included a short video which takes you through each question in depth

You will need

ICO Registration Number

All companies that handle data in any form must be registered with the ICO (Information Commisioners Office)  It is an offence if you hold or process data and are not registered.

If you need more information or check whether you are registered, click the button below



2 Completing the DSPT: Policies and Procedures  (13m:27s)

We've produced a short video about what information you need which you can see below

Data Privacy Policy

Your data privacy policy is an overarching document which sets out how you collect personal data. 



Staff Data Policy

Staff must be aware of the safe and secure use of data and their individual responsibilities pertaining to its use and access.



Data Register

This is a list of all the data you hold, where it is held and whether or not this is shared with other organisations. The Data Register is made up of several different documents.

Click the button below for an example plus information on document and information retention



Whether you comply with the National Data Opt Out

The National Data Opt doesn't normally effect care providers but you must be aware of it and how you inform your clients of your obligations



Document Retention Guidance

We often get questions about how long you should keep different types of data.  Although not a question on the toolkit, you may find the following guidance useful.

Records Management – Abbreviated Code of Practice and Guidance for Adult Social Care Providers



Webinars

if you feel you need additional help you can book one of our free webinar sessions where we offer more intensive help and can answer your questions. Details can be found by clicking the button below

One to One Support

We can also offer one to one support sessions (virtually)

These are available throughout normal office hours and can be booked by clicking the button below

Contact us

If you need help you can contact the Care Associations dedicated digital helpline during normal office hours on 01384 943000 (opt 1) or email enquiries@wmca.digital

This next section concentrates on the procedures and systems you have in place to secure your networks and data

This sections contains 8 questions

There are no specific documents required to complete this section but we have included an optional example template

We have also included a short video which takes you through each question in depth



3 Completing the DSPT: Data Security (8m:07s)

This final section concentrates on the infrastructure you have in place and how it is secured

This sections contains 16 questions

We have also included a short video which takes you through each question in depth

You will need

Staff Bring Your Own Device Policy (BYOD)

If you allow staff to use their own phones/mobile devices you must have a policy outlining how this works and how it is managed. You do not need this policy if staff do not use their own devices



A document highlighting any unsupported software you use and the business need and risk (if you have unsupported software)

This document should indicate that your board or management team have formally considered the risks of continuing to use unsupported items and have concluded that the risks are acceptable.



4 Completing the DSPT: IT Systems and Procedures (15m:06s)

Once you have done this successfully you can publish your toolkit to Standards Met level.

Once published, the Toolkit results are valid for 12 months.  You will be sent a reminder email to remind you to confirm your Toolkit status.

If you receive error messages when you try to publish then it is likely you have not completed all the questions



Multi-site publications

If you are a Head Office, you can publish your assessment to include all your satellite sites. The toolkit will prompt you to include the satellite sites it has on record.

If your satellite sites are not listed then you will either have to submit a separate publication for each site or contact the ODS helpdesk to see if they can link the sites for you

5 Completing the DSPT: Publishing the Toolkit (6m:29s)

Cyber Essentials

Cyber Essentials is a government backed cyber security standard which is available to all UK businesses.  Having Cyber Essentials certifcation shows that you have met certain standards for data protection and security. 

There are two parts to the standard:

Cyber Essentials.  This is an online assessment of your data security and protection policies (not dissimilar to the DSPT). Your answers are checked and verified by a Cyber Essentials assessor.

Cyber Essentials Plus.  This extends the online assessment and your equipment is tested by the assessor for resilience against cyber attack and that you are adhering to your policies.

Cyber Essentials is not a replacement for the DSPT but the two are complementary.  Cyber Essentials Plus certification is a requirment for achieving DSPT Standards Exceeded

Price

Unlike the DSPT there is a cost involved to achieve certification and this differs depending on the company you choose to carry out the assessment. Expect to pay anything from £300-500 for Cyber Essentials and £1000-£2000 for Cyber Essentials Plus. Certification lasts 12 months and needs to be annually renewed

More details can be found here

If you are unsure as to what the differences are between the DSPT and Cyber Essentials, DIgital Care Hub have produced a useful guide

National Cyber Resilience Centre

The National Cyber Resilience Centre Group (NCRCG) is a strategic collaboration between the police, government, private sector and academia to help strengthen cyber resilience across the nation’s small and medium-sized enterprise (SME) community, in support of the government’s National Cyber Strategy.

NCRCG is a not-for-profit organisation, funded and supported by the Home Office, policing and private sector partners.

Support is often free of charge and can be accessed through a network of regional centres

More information can be found here

Get in touch

If you need additional help or advice then our dedicated digital team are here to assist

They are available during normal office hours (Mon - Fri 9.00am - 5.00pm)

Phone 01384 943000 opt 1

Email enquiries@wmca.digital

(if you are not in the West Midlands, Herefordshire, Warwickshire or Worcestershire, click here to find out your Local Support Organisation)