DSPT

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool developed by NHS Digital in the United Kingdom. It is designed to help organizations, particularly those in the health and social care sector, to assess and improve their data security and information governance practices.

The DSPT aims to provide organizations with a framework to demonstrate that they are meeting the required standards for the secure handling of sensitive and personal data. It covers various aspects of data security and protection, including information governance, cybersecurity, staff training, and incident management.

Organizations using the DSPT are required to complete a self-assessment questionnaire, which consists of a series of statements about their data security practices. These statements cover different areas and are categorized into various standards and criteria. Organizations are expected to assess their current practices against these statements and provide evidence to support their responses.

By completing the DSPT, organizations can identify any areas where they may have gaps or weaknesses in their data security measures. It also helps them to demonstrate compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws.

The Data Security and Protection Toolkit (DSPT) has four categories:

• Category 1: NHS Trusts, Ambulance Trusts, Mental Health Trusts, and Care Service Providers (CSPs).
• Category 2: Arm's Length Bodies (ALBs), Clinical Commissioning Groups (CCGs), NHS Digital, and NHS Business Partners.
• Category 3: All other sectors, including primary care (excluding GPs), social care, companies, charities, researchers, universities, and local authorities.
• Category 4: GPs.

The category of an organisation determines which set of evidence items they must complete in the DSPT. The evidence items are designed to assess an organisation's compliance with the 10 data security standards set out in the DSPT.

If you fail a DSPT assessment, you will be given a set of recommendations to help you improve your data security practices. You will have a set period of time to implement these recommendations, and you will be reassessed at the end of this period. If you are still not compliant, you may be subject to further action, such as a fine or a ban on processing patient data.

Here are some of the consequences of failing a DSPT assessment:

• You may be required to implement a range of corrective actions to improve your data security practices.
• You may be required to report your findings to the Information Commissioner's Office (ICO).
• You may be subject to a fine by the ICO.
• You may be banned from processing patient data.

It is important to note that the consequences of failing a DSPT assessment can vary depending on the severity of the non-compliance. For example, if you fail to implement a basic security measure, such as password protection, you may be given a warning. However, if you fail to implement a more complex security measure, such as encryption, you may be subject to a fine.

If you are concerned about your data security practices, you should contact a data protection expert to help you assess your compliance with the DSPT.

The Information Commissioner's Office (ICO) can impose fines of up to £17.5 million or 4% of your global turnover, whichever is greater, for failing to comply with the Data Security and Protection Toolkit (DSPT). The amount of the fine will depend on the severity of the non-compliance and the impact on individuals.

For example, in 2022, the ICO fined Clearview AI Inc. £7.55 million for failing to comply with the DSPT. Clearview AI is a facial recognition company that scraped billions of images from the internet without the consent of the individuals in the images. The ICO found that Clearview AI's actions had a significant impact on individuals' privacy, and that the company had not taken adequate steps to protect people's data.

If you are concerned about your compliance with the DSPT, you should contact a data protection expert to help you assess your risks and take steps to improve your security practices.

Here are some additional factors that the ICO may consider when determining the amount of a fine for a failed DSPT assessment:

• The intentionality of the non-compliance.
• The level of cooperation with the ICO's investigation.
• The steps taken to mitigate the impact of the non-compliance.
• The public interest in the case.

If you are fined by the ICO for failing to comply with the DSPT, you may be able to appeal the decision to the First-Tier Tribunal. However, it is important to note that appeals are rarely successful.