Month: January 2019

DSPT Introduction – No. 12

DSPT Introduction – No. 12


This is a follow on from the GDPR blog which will look at the the Data Security and Protection Toolkit which all GP practices need to submit by the 31st March 2019. The DSPT is a sequel to the IG Toolkit and whilst many parts are similar, there are also new sections and the sum total is a more comprehensive undertaking.  There is a focus on cyber-security which will enable our IT systems to be more robust in response to malware such as virus infections, or the cryptoworm Wanncry ransomware which caused such disruption in May 2017. Much of the information needed for these sections will be common across NWL, for example specifying the type of antiviral software in use. Where these question are identified we will provide the information you need here. Some of the GDPR work outlined in prior blogs on this website will also support your submission and the DSPT action plan (see output documentation below) identifies where there are common areas and links to them.

Is there a pass fail process or a scoring system? When the IG Toolkit was first released, the idea was to encourage organisations to simply take part. Over time there was an aspiration to agreed levels of IG competence and our NWL IG sharing agreements asked all health care organisations to achieve level 2 of the IG toolkit before they could share electronic patient records. In a similar way the first step with the DSPT will be to register and complete those sections which are identified as compulsory. In time your organisation may want to document their IG competence in some of the non-compulsory sections.

Who will see our DSPT returns? As we learn to  share information in our health care communities in more integrated ways there will be sharing agreements which require mutually agreed standards. It will be possible to sign up to those agreements electronically on the Data Control Console DCC. In addition to being a repository for Information Sharing Agreements and Data Processing Agreements it will also be a place where you can share your standards of IG competence with other organisation who want to work with you.

When your practice is inspected by QCQ you may be expected to demonstrate that that your organisation is compliant with GDPR and to to show evidence to support this.  The DSPT is one way of benchmarking this and may be used for corroboration. Likewise if your practice is ever the subject of a complaint related to the management of personal data, the ICO may want to see evidence of the standards of IG which you are achieving. The results of the DSTP are also available to NHS Digital who may audit and analyse the scores in order to identify organisations who need further support.

Review of Action Points from the Previous Session

  • To do 42 – Review GDPR action plan and schedule activities into work plans
  • To do 43 – Review DPST action plan and ensure activities are scheduled in to meet compliance by 31 March 2019

Work covered this week

1) How to register with the DSPT?

If you have not already done so you can register your practice here:

You will need to provide an email address and also give a your practice code in the form E85074

2) What Sections should I complete?

There are a large number of sections, but in the first instance you should start with those items which are identified on the site as compulsory

3) Where can I find further support?

There are a number of different support options which include

  • Workshops
  • Webinars (to be advised)
  • This blog
  • NWL IG team
  • IT Team
  • DPO


A number of practices have started working through the DSPT sections. In the first instance we have agreed to put our head together to see which areas practices might need help with and which ones require specific input from the IT teams. We want to draw from the experience of those who have completed various sections or who have drawn up policy documents so that we can share good practice and avoid the need for many practices to ‘reinvent the wheel’. Once we have looked at the requirements in the compulsory sections we plan to hold a workshop, initially with some of the Ealing  practices to walk through the process. There will be an expert panel from the IG and IT teams and a question and answer session.  We are planning similar workshops across the other CCGs and as we develop a better understanding of the requirements we will use this blog to share:

  • learning points
  • policies, protocols or template documents which can be shared
  • webinars or other online learning resources

Over the next few months we plan to develop and add to a DSPT Support Page.

NWL IG and IT teams:

You can ask questions from the NWL IG team through the support email below and we will put these and the answers in a DSTP section into the FAQ. You can also get support from your IT team using the same email.

Data Protection Officers*:

Working through the DSPT and the final sign off of the DSPT will require input from your DPO. The current situation with a single interim DPO covering NWL will not allow that level of engagement at practice level. GPs need to take early action to appoint DPOs and as data controllers they are responsible for the costs of employing them and will need to budget something in the order of £1500 to £2500 per average practice to cover this. There has been some consensus among GPs that it would make little sense for individual practices to recruit their own DPOs and it will be better to deploy a shared DPO service at borough level or across NWL.

If either the federations or NWL were to undertake this role, they would levy their GPs for provision of the service.  This has been discussed in some of your networks and is also being debated in Federations and NWL CCGs who are looking into the most efficient and cost effective way of providing such a service.  We are also seeking further national guidance on this and are in contact with the LLMC and will update practices at Network level and on this blog as more information become available.

*[Update March 2019 – Since the details of the new GP contract have been released, the responsibility of providing and employing DPOs will rest with CCGs who are currently exploring ways to augment the current service]


Output Documentation

Learning Points

  • The DSPT (Data Data and Security Protection Toolkit) must be completed by 31/03/2019 and work towards this and GDPR compliance will require a minimum of 2-3 months preparatory work.
  • You should appoint a DPO (Data Protection Officer) at Practice, CCG or Federation level early in the New Year to support your work towards signing off the DSTP.

Practice Checklist

  • To do 44 – Identify a lead practice member for the DSPT and allocate some regular time for them to do this work
  • To do 45 – Register your practice for the DSPT here
  • To do 46 – Start working though the sections completing only the compulsory sections in the first instance