8. Frequently asked questions

Responses to frequently asked questions regarding the Data Security and Protection Toolkit.

Q – (GENERAL) Why does my organisation have to complete a Data Security and Protection Toolkit assessment? 

A – This is covered in the About the Data Security and Protection Toolkit Help document.


Q- I am using the 'Provide evidence for multiple organisations in one go' feature and sometimes I am only able to view answers, not change answers.  Why?

A- The 'provide evidence for multiple organisations in one go' function enables individuals to respond to text, date and checkbox questions in bulk.  For questions that require a document, it is only possible to review responses in bulk.  Expansion of this functionality will be kept under consideration as we monitor usage of the new tool.  We need to be satisfied that the feature is easy to use, popular and that performance & speed is acceptable.


Q – (INCIDENT REPORTING) How do I edit an incident?

A – It is not possible to edit an incident.

The scope of the DSPT incident reporting system is limited to the initial notification to regulators.  Once notified, the incident is managed by the ICO using their case management system.

Where an incident has been reported to the ICO / DHSC, any further updates should be brought to the attention of the ICO directly. 

It is acknowledged that information held on the DSPT reflects the best understanding at the point the incident was initially notified. 


Q – (DATA QUALITY) Is Data Quality limited to clinical coding in the DSPT / Is Clinical Coding included in the DSPT?

 A –  Whilst clinical coding represents a vital portion of data quality and is included in the DSPT, it is not the only element. We have worked with our colleagues in Data Quality Assurance to produce guidance to cover more elements of data quality other than clinical coding in a large organisation and for smaller organisations.  This guidance is now published.

Guidance on data quality and clinical coding audits is available in Data Security Standard 01 - Personal confidential data big picture guide 


Q – (ORGANISATION PROFILE) We run a hospital but also some GP practices. Which sector should we choose?

A – You should pick the sector which reflects the largest bulk of the work you undertake as an organisation. 

For more information, please see the organisation types guidance.


Q – (ORGANISATION PROFILE) The organisation profile asks if I have NHSmail?  I don’t, but I do use another secure email provider (e.g. Office 365).  Please can this be added to the organisation profile?

A – Where an organisation confirms NHSmail is the only email system used, there are a small number of evidence items which the organisation no longer needs to provide.

We recognise that NHSmail is not the only secure email service, however, at this stage we do not intend to add further options.

We do not believe it is feasible for organisations to reliably and consistently self-certify that they have an alternate secure email service, in a way which avoids adding additional complexity and burden to the organisation profile process for all users.

This will be kept under review.


Q – (ORGANISATION PROFILE) Once I have completed my organisation profile, can my responses be changed?

 A – Yes, an organisation profile can be changed at any time by an administrator, by using the admin menu.  For example, your organisation may gain Cyber Essentials PLUS accreditation during the year and you may wish to update your organisation profile accordingly.


Q – (ORGANISATION PROFILE) Do I need Cyber Essentials PLUS to complete a toolkit self assessment?

A – No.  If you do not have Cyber Essentials PLUS accreditation simply choose 'no' or 'don't know' when prompted.  Where organisations do hold Cyber Essentials PLUS they do not have to respond to some toolkit questions, as these will be exempt, but Cyber Essentials PLUS certification is not mandatory. 

The same principle applies to any questions you may be asked about ISO 27001, NHS Mail and PSNIA certification.


 Q – (THE STANDARD) Do requirements vary between sectors?

 A – Yes, the assertions and evidence items are tailored depending on your organisation type.  For example, a domiciliary care organisation will see a sub-set of those items which an NHS Trust (for example) would be expected to provide, and the language will be tailored to be appropriate for a smaller organisation.


Q – (GENERAL) Our company is made up of several divisions… should we complete one assessment or one for each division?

 A – If you are a single legal entity and have a single ICO registration but have multiple sites, one toolkit could cover them all.  Please contact the helpdesk and we will provide access to Headquarters 'HQ' functionality and/or help you publish for all your sites.

If you have multiple legal entities, with multiple ICO registrations, it is unlikely that a single toolkit will cover everything.  We would be happy to discuss how atypical organisations can make best use of the toolkit.


Q – (GENERAL) What does 'beta' mean?

A – The 'beta' logo indicates that the service is still subject to further development.  For more information, please see the 'System Changes and Release Notes' article on the News page.


Q – (TRAINING) Staff surveys and the e-learning for health data security training are frequently mentioned within the toolkit.  Do we have to use this training?  Will the e-learning for health system automatically feed the DSP?

A – Organisations are encouraged to use the national e-Learning for Health training tool.

Use of local training is however acceptable where the SIRO (or equivalent) has formally confirmed that local training is of an equivalent or higher standard.

Where the Data Security and Protection Toolkit requests training KPIs, these should be entered on the system manually (our user research to date has indicated that users prefer no automation).

You can also view responses to e-learning frequently asked questions


Q: What happens if I am submitting data to NHS England systems via an API and my DSPT self-assessment renewal results in a ‘Standards Not Met’ status?

A: You should take the following steps:

  • Assess the risk.
  • If necessary stop submitting data/stop using your API. 
  • Review the guidance documents in this DSPT website and implement accordingly.
  • If you need NHS England advice, use the contact us function on the NHS England website or email enquiries@nhsdigital.nhs.uk


Q: We are an Independent Sector Healthcare Provider (ISHP)/ Non-NHS organisation applying for NHSmail.  Do we have to do the DSP Toolkit at HQ/Provider level or at a site by site level?

A: You will be required to complete a DSP Toolkit at HQ/Provider level.  Further information is available at https://www.digitalcarehub.co.uk/data-security-protecting-my-information/data-security-and-protection-toolkit/registering-for-the-data-security-and-protection-toolkit/ on registering sites and HQs.  It was written for the social care sector but the advice is the same for ISHPs.  


Q: Should a Primary Care Networks (PCN) complete a DSP Toolkit?

A: All organisations wthat process health and/or care data should complete the DSPT - (https://digital.nhs.uk/data-and-information/information-standards/information-standards-and-data-collections-including-extractions/publications-and-notifications/standards-and-collections/dapb0086-data-security-and-protection-toolkit).

If a PCN is a separate organisation to the general practices in the network, is processing health data and taking legal responsibility for the data processing, then it should complete the DSPT.

If the PCN is a not a separate organisation and another organisation, such as the lead general practice, takes legal responsibility for the health data processing of the PCN, then that General Practice should include the PCN data processing in its DSPT submission.

Primary Care Networks should select 'Other (including charities and NHS Business Partners)' as their primary sector.


Q: Do I have to complete a DSP Toolkit every year?

A: The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations that process health and care data to measure their performance against the National Data Guardian’s 10 data security standards.

Health and care organisations that have access to NHS Patient Data and Systems should complete a Data Security and Protection Toolkit self-assessment every year against the standard. 


Q: What are DSP Toolkit Certificates?

A: The DSPT certificate is a quick and visual way to demonstrate your DSPT compliance.

Organisations that reach Standards Met or Standards Exceeded can download the certificate which includes the standard they have reached, the year of their DSPT and the date they published.  Certificates are available for the most recent year of publication.

Here are some tips on how to make the most of it:

  • Print your certificate and display it on your premises.
  • Upload it to your website.
  • Share it with people seeking care.
  • Use it as evidence where relevant for CQC, commissioners, NHS partners, bids, data suppliers etc.

Head offices (HQs) can access the certificate within the Previous Publications section of their DSPT account.  If your DSPT covers multiple sites, you will need to download and share the certificate with them.

A short guide is available on how to access and use your DSPT certificate

Q – I am a Pharmacy and cannot see the option to upload my GDPR Workbook?

A: The GDPR Workbook is no longer included for upload into the DSPT. 
It can still be a great source of evidence for you to use but require postive confirmation for each of the evidence items this year rather than automatically answering them all if you have completed a GDPR Workbook.  


Q – (SUPPORT) Who should I contact if I have any queries?

Please contact the helpdesk if you have any queries.  Contact details are available from the contact us page.

We appreciate your feedback, but please note that we are unable to respond to specific queries raised through the ‘Feedback’ function.  Please use the helpdesk for this purpose.


 Q – (TRAINING) I am a Category 1 organisation (NHS Trust/ICB/CSU/ALB/Key IT Supplier/Independent Provider designated as Operator of Essential Service) and have some questions about the updated training requirement for 23-24 V6.


 Q – (TRAINING) How is 'success' quantified under the new training requirement (i.e. do you need to have delivered 100% of the training outlined in your Training Needs Analysis?  How will auditors judge a situation where a staff member hasn’t done what is outlined in the TNA?

As an organisation you control the levels and frequency of your training and awareness activities by setting and agreeing them in your TNA document.  You should set these levels and frequency as you think meets the outcome of staff having and retaining their necessary understanding for the role.

To achieve the delivery of the training and awareness activities you need to be confident you have delivered what you set out in the Training Needs Analysis.

So for example:

If your TNA said:

  • 80% of staff who handle patient confidential data will have completed data security awareness e-learning or undertaken a face to face IG and Cyber briefing in the last 12 months.
  • All System administrators have completed Data Security Awareness and an in-house system admin course.
  • Caldicott Guardian and deputy will complete the Caldicott Guardian council e-learning and had an IG briefing in the last twelve months.
  • Awareness posters will be in place in all main throughfares of the organisation.
  • Awareness campaigns will run quarterly across screen savers.

You would need to be able to demonstrate delivering this to achieve the evidence item.

In terms of audit, the audit criteria for delivery of the TNA is:


  • From the training needs analysis document, select a sample of entries for several staff groups.
  • Confirm for that sample that the associated activities for those staff groups have been initiated (note levels of training required in that staff group may mean that staff have not received activities yet).



Q – (TRAINING) Can our organisation just stick to the existing 95% training requirement under the new regime?

Yes, you are free to decide what is appropriate, provided it meets the outcome of staff having and retaining the necessary understanding for their role.

If you decide that having 95% of staff completing data security awareness training meets the outcomes of staff having and retaining the necessary understanding for their role, then this would be acceptable.

You would still be required to have this endorsed by senior leadership and then deliver it, to achieve the evidence item.


 Q – (TRAINING) How do we establish standards for locum staff or new staff who have moved from another organisation in our TNA?

The organisation has flexibility to set this at the level it thinks best meets the outcomes of staff having and retaining the necessary understanding for their role.  In the guidance on staff training and awareness the specimen TNA shows an example of how you could do this.

Consider the guidance and what you do currently.  Consult managers and staff who have recently started to get a sense of what they thought they needed to know when they started.

If you have any external requirements for training and awareness to access shared systems, build this into the requirements for staff moving to 

On locums, check the contracts that you have with the agencies the contracts may include data security training requirements which the agency is already delivering.


Q – Does our IT Departments ISO 27001 certification allow us to claim ISO 27001 exemption?

No. The ISO 27001 certification must cover all your health and care data processing to receive the full exemption.
If an organisation has ISO 27001 for their IT Department, then this will be good evidence ready to answer many of the IT questions in the DSPT but not all questions. An ISO 27001 certification covering all health and care processing would cover. For example, 10.1.1 on having an up-to-date list of suppliers who are processing health and care data.


Q – Could our DSPT be disclosable under Freedom of Information Act - FOI?

No your DSPT cannot be disclosed under FOI.

Under our legal direction to collect information through the DSPT, we are specifically prohibited from releasing any of the information in the DSPT.

 Relevant extract from Legal Direction

 In accordance with section 260(2)(d) of the Act, NHS Digital is directed not to publish the data obtained by complying with the section 254 Direction except for a summary level of each organisations’ completed data security and protection toolkit which will be made available online to the public.

 Example of summary information made available online for NHS England.