Data Security and Protection Toolkit

NHS Digital Data Security Protection Toolkit

The Data Security and Protection Toolkit has replaced the previous Information Governance toolkit from April 2018.

The Data Security and Protection Toolkit is an online self-assessment tool that enables organisations to measure and publish their performance against the National Data Guardian’s ten data security standards.

All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

in terms of compliance levels, the new toolkit does not feature levels 1, 2 and 3 as were part of the previous toolkit. To meet the new standard, organisations must respond to all evidence items which are identified as mandatory, and confirm the associated ‘assertions’.

Information Governance Registers

Our submission to NHS Digital when completed will be published here.

Our Data Flow Map (DFM) when completed will be published here. It shows of all the CCG’s inbound and outbound data flows where fully identifiable or pseudonymised (e.g. NHS number only)

Our Information Asset Owners (IAO) register when completed will be published here. It lists all the CCG’s assets which hold information and which records assessed risks.

Information Governance breaches

Occasionally the CCG will incur information governance breaches where member practices or other organisations have included Personal Identifiable Data (PID) and/or Personal Confidential Data (PCD) in communications to the CCG (for whatever purpose) where not recorded on the Data Flow Map (DFM) without clear legal basis.

It is the responsibility of the CCG  to inform senders where there has been a breach and report this accordingly. Whether the sender reports/investigates is for them to determine.

Any serious breaches, where significant harm has been done to the data subject in terms of privacy, need to be reported to the NHS Digital Data Security and Protection Toolkit within 72 hrs of reporting of the incident or else penalties are invited; we would remind practices of this requirement.

Incident reporters will need to login to the toolkit with a registered username and password. Reporting on the Toolkit will also inform the Information Commissioners Office. Further guidance on incident reporting is available here.

Pseudonymised data using an identifier which could be linked to an individual remains as PID/PCD, irrespective of whether the CCG does or does not have a system which it can use to identify a patient (the typical example being NHS number).

Information Governance policies

Our policies linked to compliance with the Data Security and Protection Toolkit are published here.