Data Security and Protection Toolkit

NHS Digital Data Security Protection Toolkit

The Data Security and Protection Toolkit has replaced the previous Information Governance toolkit from April 2018.

The Data Security and Protection Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practicing good data security and that personal information is handled correctly.

in terms of compliance levels, the new toolkit does not feature levels 1, 2 and 3 as were part of the previous toolkit. To meet the new standard, organisations must respond to all evidence items which are identified as mandatory, and confirm the associated ‘assertions’.

Buckinghamshire CCG’s annual compliance is published here.

Annual reports – Data Security and Protection (Information Governance, Caldicott Guardian, Data Protection Officer)

2019-2020 Data Security and Protection – Information Governance ANNUAL REPORT

14b-c. COMBINED Annual Caldicott Guardian Report 2018-19 v4 FINAL + SIRO

13d. Data Security and Protection – Information Governance ANNUAL REPORT v6 FINAL

Information Governance Registers

A Data Flow Map (DFM) shows flows of data to and from the organisation, e.g. other NHS organisations including providers, local authorities and third parties. It is otherwise known as a register of processing activities (ROPA). A summary of the CCG’s ROPA is contained within its Fair Processing Notice (FPN) under the sub-section “For other organisations to provide services to us”.

This provides the following details:

  • Data Processor
  • Category of data processor
  • Categories of individuals
  • Categories of data
  • Purpose of data processing
  • Evidence of fee payment to the Information Commissioner’s Office (ICO)
  • NHS Data Security and Protection Toolkit compliance

A fuller version provides a register of legal bases for each flow, whether fully identifiable or pseudonymised (e.g. record level/NHS number only), data protection impact assessments (where relevant) and sharing and/or processing agreements associated with each flow. This fuller version is subject to request under Freedom of Information.

An Information Asset Register (IAR) documents the information assets which hold data the organisation receives through flows shown on the Data Flow Map/Register of processing activities, and risk assesses each asset.

For details on the FOI process please refer to the contact us page.

Retention schedules

The CCG applies the following retention schedules/envisaged time limits to flows where the CCG is data controller:

  • Continuing Healthcare/Individual Funding Requests/ad-hoc funding requests – 8 years
  • Secondary Uses Services (joint data controller with NHS Digital) – 8 years where it holds duplicate copies of NHS Digital data
  • Human Resources records for CCG staff – 6 years or 75th birthday (whichever is sooner)
  • Complaints/Freedom of Information/public consultation/patient and service user expenses claims/photo release – varies in line with code of practice

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016.

Information Governance breaches

Occasionally the CCG will incur information governance breaches where member practices or other organisations have included Personal Identifiable Data (PID) and/or Personal Confidential Data (PCD) in communications to the CCG (for whatever purpose) where not recorded on the Data Flow Map (DFM) without clear legal basis.

It is the responsibility of the CCG  to inform senders where there has been a breach and report this accordingly. Whether the sender reports/investigates is for them to determine.

Any serious breaches, where significant harm has been done to the data subject in terms of privacy, need to be reported to the NHS Digital Data Security and Protection Toolkit within 72 hrs of reporting of the incident or else penalties are invited; we would remind practices of this requirement.

Incident reporters will need to login to the toolkit with a registered username and password. Reporting on the Toolkit will also inform the Information Commissioners Office. Further guidance on incident reporting is available here.

Pseudonymised data using an identifier which could be linked to an individual remains as PID/PCD, irrespective of whether the CCG does or does not have a system which it can use to identify a patient (the typical example being NHS number).

Information Governance policies

Our policies linked to compliance with the Data Security and Protection Toolkit are published here.

Mandatory training

CCG staff have a mandatory requirement every year to complete training, with 95% completion compliance reported within the Toolkit.

Data Security Awareness