DSP Toolkit Deadline Extension - Frequently asked questions (21 September 2020)
Lots of questions have been received about the extension to the DSP Toolkit deadline so they have been collated in an FAQ page.
DSP Toolkit Deadline Extension - Frequently asked questions
Q: I am struggling to complete all elements of the DSP Toolkit in time for 31 March because of COVID 19.
A: The deadline for completing the DSP Toolkit has been extended to 30 September 2020.
Q: I am ready to publish my DSP Toolkit. Do I have to wait until September 2020?
A: No, you can publish as soon as you are ready if it does not impact on your COVID 19 response.
Q: We are trying to answer 3.2.1 ‘Have at least 95% of all staff, completed their annual Data Security awareness training in the period 1 April to 31 March?’ Do we only count staff up to 31st March?
A: As the deadline for submitting your toolkit assessment has been changed to 30 September, this extends the period of delivery for evidence items in the DSP Toolkit. So, the period for which you can count staff as completing the Data Security Awareness Training to achieve 95% is now 1 April 2019 to 30 September 2020.
Q: Our contract says we must publish by 31 March 2020. Does the deadline extension apply to us?
A: If you have a date of 31 March 2020 to publish a DSP Toolkit publication in a contract, the organisation issuing the contact must agree the change.
Q: In 1.4.2: ‘When were information flows approved by the Board or equivalent?’ It says this must be in the last twelve months. Is this still correct?
A: As the deadline for submitting your toolkit assessment has been delayed this extends the period of delivery for evidence items in the DSP Toolkit. So, the date when Information flows were approved is now any date after 1 April 2019 to the date of publication.
Q: In 1.7.6: ‘When was the date of last audit being made on data disposal contractors/other arrangements to ensure security is of the appropriate agreed standard?’ It says this must be in the last twelve months. Is this still correct?
A: As the deadline for submitting your toolkit assessment has been delayed this extends the period of delivery for evidence items in the DSP Toolkit. So, the date when the last audit is now any date after 1 April 2019 to the date of publication.
Q: In 2.1.2: ‘When did your organisation last review the list of all systems/information assets holding or sharing personal information?’ It says this must be in the last twelve months. Is this still correct?
A: As the deadline for submitting your toolkit assessment has been delayed this extends the period of delivery for evidence items in the DSP Toolkit. So, the date of the review is now any date after 1 April 2019 to the date of publication.
Q: In 6.3.4: ‘When did the last review of monitoring solutions take place?’ It says this must be in the last twelve months. Is this still correct with the extension to the deadline?
A: As the deadline for submitting your toolkit assessment has been delayed this extends the period of delivery for evidence items in the DSP Toolkit. So, the date of the review is now any date after 1 April 2019 to the date of publication.
Q: In 9.2.2: ‘The date the penetration test and vulnerability scan were undertaken’. It says this must be in the last twelve months. Is this still correct with the extension to the deadline?
A: As the deadline for submitting your toolkit assessment has been delayed this extends the period of delivery for evidence items in the DSP Toolkit. So, the date of the penetration test and vulnerability scan is now any date after 1 April 2019 to the date of publication.
Q: In 3.1.1: ‘Has an approved organisation wide data security and protection training needs analysis been completed in the last twelve months?’ It says this must be in the last twelve months. Is this still correct with the extension to the deadline?
A: As the deadline for submitting your toolkit assessment has been delayed this extends the period of delivery for evidence items in the DSP Toolkit. So, the date of the training needs analysis is now after 1 April 2019 to the date of publication.
Q: In 5.3.1: ‘Explain how the actions to address problem processes are being monitored and assurance given to the Board or equivalent senior team?’ It says this must be in the last twelve months. Is this still correct with the extension to the deadline?
A: As the deadline for submitting your toolkit assessment has been delayed this extends the period of delivery for evidence items in the DSP Toolkit. So, the date assurance given to the Board or equivalent senior team is now after 1 April 2019 to the date of publication.
Q: In 7.2.1: ‘Explain how your data security incident response and management plan has been tested to ensure all parties understand their roles and responsibilities as part of the plan’. It says this must be in the last twelve months. Is this still correct with the extension to the deadline?
A: As the deadline for submitting your toolkit assessment has been delayed this extends the period of delivery for evidence items in the DSP Toolkit. So, the date of the test is now 1 after 1 April 2019 to the date of publication.
Q: Has the deadline for complying with the national data opt out moved?
A: Yes, futher details are provided on the DSPT news page.
Q: We want to publish now but there is one item we haven’t completed. Can we publish now and submit an Improvement plan and continue working on it now?
A: Yes, as long it does not impact on your COVID-19 response.
See the note on the news page of the DSPT and follow the guidance with the enclosed Improvement plan template. We do require the plan to have dates but they can be related to a return to Business as Usual. For example: Policy will be approved three months after return to Business as usual.
Q: I am publishing on behalf of the branches in my company as a HQ and all the ODS Codes are set up and correct. Due to Coronavirus, some sites are not ready, but all the rest are. Can I publish on behalf of some organisations and not others?
A: Yes, you can publish for any number of your sites. When you come to publish, you are asked which sites you are publishing. Untick the sites that that are not ready and publish for the others. You can republish your assessment and add the other sites once they are ready.
Q: Which organisations can submit an improvement plan?
A: NHS Trusts, Local Authorities, DHSC ALBs, CCGs and CSUs can submit improvement plans where they are approaching a level of ‘Standards Met’ in all but a few areas.
Other organisations in categories 3 and 4, having fewer requirements to meet, cannot submit an improvement plan, but they have until 30 September 2020 to complete and publish their toolkit assessment
Q: If we wish to submit an improvement plan, does this mean we have to publish our toolkit assessment, including the plan, by 31 March 2020?
A: No, you can publish your toolkit assessment and submit your improvement plan anytime during the period up to 30 September 2020.
Q: How do we submit an improvement plan?
A: Complete all the evidence items where you can confirm you meet the requirement and follow the guidance on how to complete your improvement plan and upload this at evidence item 1.8.2.
Q: What will happen at the end of September 2020 if we are still unable to publish a Standards Met submission?
A: You will be able to follow the year end arrangements guide and submit an improvement plan. See the note on the news page on the DSP Toolkit and follow the guidance with the enclosed Improvement plan template.
Q: What effect will this extended deadline of 30 September have on the toolkit for 20/21?
A: The 20/21 DSP Toolkit will be implemented after 30 September. Arrangements for this will be kept under review during the COVID 19 response.
Q: When will the new toolkit requirements for 20/21 be available?
A: We are hoping to have them approved in April and then available as a spreadsheet via the DSP Toolkit. But they will not be implemented into the DSP Toolkit until after 30 September 2020. You will not be able to publish a 20/21 DSP Toolkit until after 30 September.
Q: We are a CCG which is merging on 1 April 2020. We will not exist in September 2020, what should we do?
A: If you can publish before you merge without impacting on your COVID 19 response you should do so. CCGs which are merging should publish a DSP Toolkit over the next few days even if they haven’t achieved Standards met, where publishing does not impede their COVID 19 response.
You don’t need to complete a formal Improvement plan for the mandatory evidence items not completed, but any detail in the comments box of those evidence items not met would be appreciated.
The DSP Toolkit for the CCGs that are merging will not be closing on 31st March 2020 but will remain open to allow you to publish if you don’t get chance beforehand.
This will allow us to see the areas where CCGs have completed the data security evidence items before CCGs are merged and ensure, from a DSP Toolkit point of view, that newly formed CCGs get a cleaner start.
Once you have published, email us at cybersecurity@nhs.net so we can amend the status to Standards not fully met (plan agreed).
Q: We are a Trust just short of achieving our 95% training target, can we just pick up the stragglers between now and 30 September 2020 to meet the 95% target for 2019/20?
A: Yes, if a Trust has 10,000 staff, it needs to train 9,500 between 1 April 2019 and September 2020 to meet the 95% target.
So if it had trained 9,450 between April 1 2019 and March 31st 2020, the Trust would need to train 50 more to reach 9,500 and achieve the target.