NHS Digital Data Security Protection Toolkit
The Data Security and Protection Toolkit has replaced the previous Information Governance toolkit from April 2018.
The Data Security and Protection Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards.
All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.
in terms of compliance levels, the new toolkit does not feature levels 1, 2 and 3 as were part of the previous toolkit. To meet the new standard, organisations must respond to all evidence items which are identified as mandatory, and confirm the associated ‘assertions’.
Information Governance Registers
Our submission to NHS Digital when completed will be published here.
Our Data Flow Map (DFM) when completed will be published here.
It shows of all the CCG’s inbound and outbound data flows where fully identifiable or pseudonymised (e.g. record level/NHS number only)
Our Information Asset Owners (IAO) register when completed will be published here.
It lists all the CCG’s assets which hold information and which records assessed risks.
Both registers remain subject to ongoing review and change in line with NHS Digital’s best practice governance standards. The above uploads are dated as at submission to NHS Digital as part of the CCG’s annual March submission of the Data Security and Protection Toolkit.
The CCG applies the following retention schedules/envisaged time limits to flows where the CCG is data controller:
- Continuing Healthcare/Individual Funding Requests/ad-hoc funding requests – 8 years
- Secondary Uses Services (joint data controller with NHS Digital) – 8 years where it holds duplicate copies of NHS Digital data
- Human Resources records for CCG staff – 6 years or 75th birthday (whichever is sooner)
- Complaints/Freedom of Information/public consultation/patient and service user expenses claims/photo release – varies in line with code of practice
We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016.
Information Governance breaches
Occasionally the CCG will incur information governance breaches where member practices or other organisations have included Personal Identifiable Data (PID) and/or Personal Confidential Data (PCD) in communications to the CCG (for whatever purpose) where not recorded on the Data Flow Map (DFM) without clear legal basis.
It is the responsibility of the CCG to inform senders where there has been a breach and report this accordingly. Whether the sender reports/investigates is for them to determine.
Any serious breaches, where significant harm has been done to the data subject in terms of privacy, need to be reported to the NHS Digital Data Security and Protection Toolkit within 72 hrs of reporting of the incident or else penalties are invited; we would remind practices of this requirement.
Incident reporters will need to login to the toolkit with a registered username and password. Reporting on the Toolkit will also inform the Information Commissioners Office. Further guidance on incident reporting is available here.
Pseudonymised data using an identifier which could be linked to an individual remains as PID/PCD, irrespective of whether the CCG does or does not have a system which it can use to identify a patient (the typical example being NHS number).
Information Governance policies
Our policies linked to compliance with the Data Security and Protection Toolkit are published here.
CCG staff have a mandatory requirement every year to complete training, with 95% completion compliance reported within the Toolkit.