The Updated DSP Toolkit for NHS and Private Practices

Primary Care


Following the first year of the Data Security and Protection (DSP) Toolkit Standard, some updates have been made based on lessons learned and user feedback. This means that as of 21 June 2019 there is a significantly updated DSP Toolkit.

So, what do you have to do? According to the NHS, ‘Where evidence items are not materially changed – existing responses are carried forward. Assertions must be re-confirmed prior to publishing an assessment against the new standard’.  This is good for practices that have already submitted this March as it means most of their answers have been transferred to the new assessment and put in the right sections. This also means that NHS practices who completed the 2018-19 Toolkit don’t need to complete it again until next year.

The submission for the 2019-20 Toolkit is 31 March 2020, however practices will need to do some preparation before then to ensure they have the right paperwork in place. One key observation is that the language has been significantly simplified, making the toolkit a little more accessible, however some new requirements have been added, let’s take a look at some of the key issues…

Private practices and NHSmail
The NHS is gearing up to a ‘paper switch off’ meaning that it is moving more towards only accepting referrals via NHSmail and CODE has been made aware that some private practices in the south have been having trouble referring patients because they don’t have an account.

In order to get an NHSmail account, practices MUST have completed the DSP toolkit and it’s only just been updated and released for this year, which means private practices may not have the guidance they need in order to complete this slightly daunting task.

Don’t worry, CODE have the solution for private practices with our updated version of IG Improvement Plan for Data Security and Protection Toolkit (M 217A). We are also releasing an updated set of documents to help practices meet the requirements.

Action list for private practices to get NHS mail
Download the new version of our IG Improvement Plan for Data Security and Protection Toolkit (M 217A)Work your way through the document making sure you have adopted and updated all of the latest templatesContact the NHS and ask for DSP toolkit access here.Email a request to receive CareCERT bulletins to [email protected]Complete the DSP toolkitApply for an NHSmail account here.

Data opt-out policy
Section 1.4.4 asks ‘Is your organisation compliant with the national data opt-out policy?’, which was introduced on 25 May 2018, enabling patients to opt out from the use of their data for anything other than their individual care and treatment, for example research or planning purposes. By March 2020 all health and adult social care organisations providing NHS treatment or using NHSmail are required to be compliant.

The updated toolkit requires that practices ‘Please provide your published compliance statement e.g. within a privacy notice’. It is CODE’s opinion that the majority of practices only use healthcare data to provide individual care and treatment, though there may be a small minority of practices carrying out research where this would need to be considered. We have updated our Privacy Notice (M 217T) to include a subsection on the national data opt out.

NHS CareCERT bulletin service
Section 6.3.1 asks ‘If you have had a data security incident, was it caused by a known vulnerability?’ In addition, it requires that practices are signed up to the NHS CareCERT bulletin service.

NHS Digital was commissioned by the Department of Health to develop a Care Computer Emergency Response Team (CareCERT). CareCERT offers advice and guidance to support health and social care organisations in responding effectively and safely to cyber security threats.

This service was previously not available to private practices, but as it is now a requirement of the toolkit, CODE has contacted CareCERT who have assured us that private practices can get access by emailing a request, including their name and the practice details, to [email protected].

CODE has updated the Information Governance Procedures (M 217C) to clarify this requirement.

Data security incident response and management
Section 7.2.1. asks practices to: ‘Explain how your data security incident response and management plan has been tested to ensure all parties understand their roles and responsibilities as part of the plan.’ It is important that practices are securely backing up their data and periodically perform test restores. See our article which gives a basic overview of our advice here. (hyperlink to other article)

We have updated a number of documents including adding information to our Data Backup Overview (G 135), managerial checks to our backup log (G 135A), updated procedures for backup/test restore (M 217C) and procedures for recovery to our Disaster Plan and Emergency Procedures (M 255).

Help is at hand
For private practices that need to sign up for NHSmail you’ll be happy to know that iComply has all the documents you need to help you comply with and complete the DSP Toolkit. CODE recommends getting an NHSmail account as quickly as you can and before the NHS stop accepting paper referrals. For a free, no obligation, demonstration of the iComply system call our new business team on 01409 254 416 or email [email protected]      




Unit 18 Jessops Riverside

800 Brightside Lane



S9 2RX