Data Security and Protection Toolkit assessment guides - NHS Digital (2024)

This guidance relates to the 2023-24 (version 6) standard.

About the guides

All health and care organisations are expected to implement the 10 National Data Guardian (NDG) standards for data security. These standards are designed to protect sensitive data, and also protect critical services which may be affected by a disruption to critical IT systems (such as in the event of a cyber attack).

A ‘big picture’ guide has been provided for each of the 10 standards to help organisations understand expectations, and support implementation of good data security and protection.

These guides also help organisations meet the requirements of their annual Data Security and Protection Toolkit (DSPT) self-assessment. Throughout these guides you may see references to DSPT requirements (assertions and evidence items).

The guides aim to support a wide range of health and care organisations, and as such are not exhaustive. They will not cover every eventually and professional judgement will be required in how the standard is met and audited.

See further note on professional judgement, auditing and GDPR.

At times the big picture guides may go further than the audit guides and vice versa. Only the most binary of assertions would lead to one answer. The divergence of guides is either following an implementation theme to the end or the next logical audit artifact.

1 - Personal confidential data

All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form.

Read guide 1

2 - Staff responsibilities

All staff must understand their responsibilities under the National Data Guardian’s Data Security Standards.

Read guide 2

See Also

England Protecting patient data - NHS Digital Compliance Research Summary: Healthcare HIPAA & NHS Confidentiality and GDPR Policy (General Data Protection Regulation) – Blossoming Buddies

3 - Staff training

Staff have appropriate understanding of information governance and cyber security, with an effective range of approaches taken to training and awareness.

Read guide 3

4 - Managing data access

Personal confidential data should only be accessible to staff who need it for their current role and access is removed as soon as it is no longer required.

Read guide 4

5 - Process reviews

Past security breaches and near misses are recorded and used to inform periodic workshops to identify and manage problem processes.

Read guide 5

6 - Responding to incidents

Cyber-attacks against services must be identified and resisted, and CareCERT security advice responded to.

Read guide 6

7 - Continuity planning

A continuity plan must be in place to respond to threats to data security, including significant data breaches or near misses.

Read guide 7

8 - Unsupported systems

No unsupported operating systems, software or internet browsers should be used within the IT estate.

Read guide 8

9 - IT protection

A strategy must be in place for protecting IT systems from cyber threats.

Read guide 9

10 - Accountable suppliers

IT suppliers must understand their obligations as data processors under the General Data Protection Regulation (GDPR).

Read guide 10

Using professional judgement, auditing and GDPR

The 10 ‘Big Picture Guides’ are not exhaustive. They will not cover every eventually and professional judgement is required.

Using professional judgement

Useful resources

Additional resources that complement the guidance found in the Data Security and Protection Toolkit.

Access useful resources

Last edited: 28 September 2023 10:51 am

Data Security and Protection Toolkit assessment guides - NHS Digital (2024)

Top Articles

Qué es un brief creativo, cómo hacerlo y 11 ejemplos excepcionales

Cita previa Extranjería ⭐ TRUCO para Cita para Huellas

What is the full meaning of fund?

What happens to a trust bank account when someone dies?

Latest Posts

Evolución de la TABLA PERIÓDICA: desde su creación hasta hoy - RESUMEN!!

Países y capitales de Europa - Datos actualizados 2022

Article information

Author: Horacio Brakus JD

Last Updated: 2024-04-29T06:36:45+07:00

Views: 6171

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Horacio Brakus JD

Birthday: 1999-08-21

Address: Apt. 524 43384 Minnie Prairie, South Edda, MA 62804

Phone: +5931039998219

Job: Sales Strategist

Hobby: Sculling, Kitesurfing, Orienteering, Painting, Computer programming, Creative writing, Scuba diving

Introduction: My name is Horacio Brakus JD, I am a lively, splendid, jolly, vivacious, vast, cheerful, agreeable person who loves writing and wants to share my knowledge and understanding with you.