Month: March 2019

DSPT Support Page – No. 13

DSPT Support Page – No. 13


Working with Practice Managers, NWL Primary Care Teams, The NWL IG team and the DPO, this page and the documents in it have been put together to help you complete the Data Security and Protection Toolkit (DSPT) by the 31st March 2019.

To avoid a plethora of DSPT support pages we plan to present all the required information on this page. If there is new advice or additional documentation it will be added here.

There are TWO MAIN documents which will help you through your submission.

1) A Data Security Policy

The various sections in DSPT ask for information which will include policies, protocols, guidelines or procedures across a range of different topics. We have designed this Data Security Policy to be the overarching document in your practice, where you can see links to all of the required elements in one place.

2) DSPT Requirement & Evidence V1.2   **Updated 18-March 2019**

This contains comments and guidance related to all of the 10 sections and subsections in the DSPT.

Both of these documents are works in progress and the links below (under Output Documentation) will always point to the most up-to-date versions.

By now, you should have logged in to the DSPT website and have started to add some of the simpler responses, such as your ICO number and your Caldicott Guardian details, as well as reviewing the mandatory questions.

Please note: for Hillingdon CCG Practices, it is advised that you contact the Hillingdon IT service desk for responses to questions that relate to your IT Service Provider.

Review of action points from last blog

  • To do 44 – Identify a lead practice member for the DSPT and allocate some regular time for them to do this work
  • To do 45 – Register your practice for the DSPT here
  • To do 46 – Start working though the sections completing only the compulsory sections in the first instance

Please note that as further work on the DSPT is clearly linked to going through each of the 10 sections, there will be no further To Do list other than the requirement for your practice to submit your DSPT returns under each of those sections.

Work covered in this session

Data Security Policy

It will be worth familiarising yourself with this document, which you may wish to add to as you progress. Working through the GDPR blogs will have generated much of the information needed for the DSPT.  This document should enable you to pull together all of your existing policies, plus help you with some new ones. It is an overarching policy document to which you or your staff can refer. You can also use to it as a resource within DSPT and it may be helpful in responding to questions which arise at CQC inspections.

DSPT Requirements & Evidence

This will probably the most commonly used document in submitted your response to the question, assertions and evidence required under each of the 10 sections in the DSPT.

Some of the DSPT requirements need you to demonstrate the presence of robust cybersecurity measures. A number of those relate to the policies and practices provided through centrally provided IT services. Those elements have also been responded to and can be found under the relevant sections in this document.

Fair Process Notifications

The NWL Collaboration have designed two GDPR compliant fair process notices for your patients in poster form, which are on their way to you. We are required to present this information in tiered levels, simplest first, with the ability to drill down on progressive detail. The posters represent the simplest information. The most detailed information is found in your A4 fair processing notice which should be published on your practice website. The posters should be displayed in your surgery to inform you patients about how we use their data in NWL. The more details A3 posted has space for stickers which should be printed to show (as below):

  • Practice Address
  • Practice Website URL
  • Detailed FPN URL (from practice website)
  • DPO contact NWL CCGs DPO Service

There are electronic versions which can be uploaded to your NUMED/Call board screens.  NHS NWL Medical Information Sharing Poster

Please use the latest version 1.08 of the detailed A4 Fair Processing Notice which can be downloaded here:  **Updated 29-March 2019**

Data Flow Mapping

Please use the latest version 1.2 of the data flow mapping spreadsheetwhich can be downloaded here: **Updated 29-March 2019**

Email Policy

SAR requirements can become complex if clinical correspondence is sent by email and an email policy which addresses this has been produced. It requires staff to migrate clinical data to your clinical system and delete the original email. In this way when you respond to an SAR you only need to interrogate a single data source.

Staff training around data sharing

The Staff Training & Support document is for all staff to enable them to understand Data Sharing across NWL.  This also includes the read codes (CVT-3 and READ2) that are required to opt in or opt out of data sharing. Staff Information – Data Sharing . We have also included an IG spotcheck template which practices can use to record the spot checks on compliance with these policies as required in 1.5.1.

Practice Hardware Asset Template

Section 1.4.4 of the DSPT requires a list of the hardware assets that you have within your practice. See: Asset Template for GPs

Business Continuity Plan

Remember, to make sure that you have updated your business continuity plan. These will vary from area to area but we have attached a template which covers the required sections. You should ensure that copies of the plan are kept out of the business and that you know who to contact in an emergency. Make sure that you have the correct contact details for the IT team which is  Tel: 020 3350 4050 and email as is now provided by North West London Collaboration of Clinical Commissioning Groups.

Anti Virus

This links to question 6.3.2 – Number of alerts recorded by AV tool in last three months.  

190401 AV-Alerts BCWHHE   ⇐ for NHS Brent, Central, West, H&F, Hounslow & Ealing CCGs This was last updated on 1st April 2019.

190319 – Harrow  ⇐ for NHS Harrow CCG This was last updated on 19th March 2019.

Please note: for Hillingdon CCG Practices, it is advised that you contact the Hillingdon IT service desk for responses to questions that relate to your IT Service Provider.


Learning Points

  • The two main documents which will support your DSPT submission are the Data Security Policy and the DSPT Requirement & Evidence
  • There is now just one main page for DSPT support (this one).
  • Please ask any questions by email using


Work planned for next session

There will be no new blogs, but in response to any incomplete sections and to the questions which you submit, we will continue to update the contents on this page. Any updated documents will be included in the relevant section of the DSPT Requirement & Evidence document. Any new discussion topics discuss will be added below the work covered in this session section.

We plan next to review your feedback and cover support for Subject Access Requests (SARs) and Staff Training for 2019/20.