5. Organisation types
This document defines the organisation types within the Data Security and Protection Toolkit in 2024-25.
DSPT 2024-2025 for IT Suppliers and Independent Providers who are designated Operators of Essential Services
General
Organisation types are reviewed annually for appropriateness against the prevailing NHS and Local Authority structures in England. Organisation type is based on the services provided, the contractual terms in place and any other drivers for completing the Data Security and Protection Toolkit (DSPT), which could include when processing NHS data as part of a research study.
The organisation type determines which Category of toolkit is to be completed. There are four Categories: 1,2, 3 and 4. Each category has a pre-determined set of evidence items, with some mandatory and some non-mandatory for an organisation and determines the language used in asking the evidence item.
Category 1 organisations will view a Cyber Assessment Framework (CAF) aligned view of the DSPT requirements.
A brief description of each Organisation type is listed below including the Category of evidence items applicable.
Arms Length Body (ALB)
Department of Health and Social Care (DHSC) ALBs regulate the health and social care system, establish national standards, protect patients and the public and provide central services to the NHS.
They include the organisations such as NHS Digital, NHS England, Medicines and Healthcare products Regulatory Agency (MHRA).
DSP Toolkit view is based on the Category 1 requirements and will view a Cyber Assessment Framework (CAF) aligned view of the DSPT requirements.
Integrated Care Board (CCG/ICB)
An NHS organisation responsible for arranging for the provision of services for the purposes of the health service in England. This should be selected by organisations that are NHSIntegrated Care Board (ICBs).
DSP Toolkit view is based on the Category 1 requirements and will view a Cyber Assessment Framework (CAF) aligned view of the DSPT requirements.
Commissioning Support Unit (CSU)
An NHS organisation responsible for supporting commissioners (e.g. ICBs) to carry out their functions of commissioning NHS-funded services. This should be selected by organisations that are NHS CSUs.
DSP Toolkit view is based on the Category 1 requirements and will view a Cyber Assessment Framework (CAF) aligned view of the DSPT requirements.
Dentist
This is a practice that has agreed with their commissioning organisation to provide NHS clinical and educational dental services or private dental services.
DSP Toolkit view is based on the Category 3 evidence items.
General Practice (GP)
This is a practice in which a general practitioner provides a range of medical services including comprehensive and continuing medical care to patients irrespective of age, sex and illness; and in many cases, enhanced services such as extended diagnostic and monitoring services, minor surgery, and health promotion activities.
DSP Toolkit view is based on the Category 4 evidence items.
IT Supplier
An organisation external to the NHS, contracting with an NHS or care organisation/s to provide digital (either software and / or physical) goods and services to the NHS and/or care. This would not include organisations who delivering direct care through digital tools as healthcare providers, they should select the Other category.
If you are a company that meets all the criteria of: 50+ staff, a turnover of £10m+ and supplies digital (either software and / or physical) goods and services to the NHS and/or care, then you should select IT Supplier.
The scope of the Data Security and Protection Toolkit for companies IT Suppliers will be the health and care data they process, not the full data processing of the organisation.
DSP Toolkit view is based on the Category 2 evidence items.
Local Authority
A county, shire, district, borough or city council responsible for providing public services within a defined geographical area. This view aligns the PSN assurance and DSP Toolkit requirements to reduce duplication. This view encourages a single assessment with contributions by LA Public Health and Social care teams to the broader Local Authority assessment.
The scope of the Data Security and Protection Toolkit will be the health and adult social care data they process, not the full data processing of the organisation.
DSP Toolkit view is based on the Category 3 evidence items.
NHS Trust
An NHS organisation providing one or more of the following services:
Acute Trust: Short-term hospital-based or emergency health services - sometimes referred to as secondary care.
Ambulance Trust: An NHS organisation providing emergency access to health care.
Community Services Provider: An NHS organisation, providing community services to NHS patients.
Mental Health Trust: An NHS organisation providing mental health services from either a hospital or a community base.
This organisation type should ONLY be selected by organisations that are NHS Trusts.
DSP Toolkit view is based on the Category 1 requirements and will view a Cyber Assessment Framework (CAF) aligned view of the DSPT requirements.
Operator of Essential Service (OES) Independent
Under the Network and Information Systems (NIS) direction an organisations that can significantly disrupt the delivery of essential services are considered ‘operators of essential services’ under the NIS Regulations.
It includes independent providers of health and care who have been considered operators of essential services under the NIS directive.
DSP Toolkit view is based on the Category 2 evidence items.
Optician
Optician, ophthalmologist, optometrist etc. providing NHS services: A provider that has agreed with their commissioning organisation to provide NHS primary eye health services, such as NHS sight testing.
DSP Toolkit view is based on the Category 3 evidence items.
PHARMACIES
Community Pharmacy
A pharmacy that has agreed with their commissioning organisation to provide NHS pharmaceutical services in their area, i.e. advice and guidance, and dispensing medications against NHS prescriptions.
Pharmacy HQ
Pharmacy organisations with more than one branch and a Head Office IG function where branch staff are contractually required to follow the policies, procedures and training provided by that Head Office IG function.
DSP Toolkit view is based on the Category 3 evidence items.
Social Care
An organisation that provides adult social care, such as domiciliary care, care homes and residential homes, day services. This could be services commissioned by the NHS, local authorities or directly with service users. It includes organisations that are registered with the CQC and those not registered.
DSP Toolkit view is based on the Category 3 evidence items.
University (including researcher and secondary use)
An organisation that processes patient information for secondary purposes such as research. Organisations or parts of organisations that make an application under Health and Social Care Act (Section 251) to the HRA Confidentiality Advisory Group (CAG) or via the Data Access Request Service are required to complete a DSP Toolkit assessment.
The scope of the Data Security and Protection Toolkit for these organisations will be the health and care data they process, not the full data processing of the organisation.
DSP Toolkit view is based on the Category 3 evidence items.
Other (including charities, some companies and NHS Business Partners)
This category is for all organisations who are not listed in one of the other categories. If you are not sure which category to select, then select this one.
This has replaced several previous categories, including: AQP Clinical, AQP Non-Clinical, Charity/Hospice, Company, NHS Business Partner and Prison.
The scope of the Data Security and Protection Toolkit for these organisations will be the health and care data they process, not the full data processing of the organisation.
It would also include organisations such as Primary Care Networks and Companies who are not large IT suppliers.
DSP Toolkit view is based on the Category 3 evidence items.
Parent / Child Organisations
If the parent assessment covers the services and activities of child organisations, then it can use functionality in the DSP Toolkit to show this assessment across all its separate sites.
Sector
NHS Trusts - Category 1
CSU - Category 1
Arm’s Length Body - Category 1
Integrated Care Board (ICB) - Category 1
IT Supplier Category 2
Dentist - Category 3
Local Authority - Category 3
OES Independent Provider - Category 2
Optician - Category 3
Pharmacy - Category 3
Other (including charities and NHS business partners) - Category 3
Social care - Category 3
University (including researcher / department / secondary use) - Category 3
General Practice (GP) - Category 4