Update – Data Protection Security Toolkit (DSPT) & NHSmail
- BackgroundAll organisations with NHSmail accounts are required to complete the Data Security & Protection Toolkit (DSPT) on an annual basis and completing the DSPT is a prerequisite for signing up to an NHSmail account.NHSmail provides a secure platform to transmit and receive optometry communication across eyecare providers and other community and health services. It also ensures patients with serious, potentially fatal and/or serious eye conditions are appropriately prioritised and able to access optometry services and care as quickly as possible.The DSPT is an online self-assessment tool which allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. Organisations which have access to NHS patient data must use the DSPT to provide assurance they are practising good data security and that personal information is handled correctly.
- Covid-19 PandemicIn May 2020, to enable the sharing of data, a necessity to effectively respond to Covid-19, NHSX, NHS Digital and NHS England & Improvement (NHSEI) agreed to accelerate the roll out of NHSmail and relax the DSPT requirement. A temporary DSPT waiver was in place until 30 June 2021 meaning contractors who signed up to an NHSmail account from May 2020 had additional time to complete the DSPT. More than 2,300 optometry contractors took up this offer and were able to send secure emails and register for free personal protective equipment from the Department of Health and Social Care.
- 2021/22 DSPTFrom 1 July 2021 optometry contractors applying for an NHSmail account have been required to complete the DSPT. Contractors will have a full 12 months in which to complete the toolkit; for 2021/22 the cycle runs from 1 July 2021 to 30 June 2022.Existing NHSmail account holders who have not yet completed the DSPT since signing up are strongly advised to do so as completion of the DSPT demonstrates patient information is being managed safely and securely. It also provides evidence to the Information Commissioner’s Office (ICO) that the contractor is compliant with key elements of GDPR when dealing with medical records. It also serves to strengthen staff members’ awareness and preparedness around cybersecurity and data protection. Data breaches can have significant implications for the contractor.DSPT submissions will be monitored and non-compliance may result in suspension or deletion of the NHSmail account, including the shared mailbox and individual user accounts. The DSPT is also a requirement for the Electronic Eyecare Referral System (EeRS) which is being rolled out across parts of England in 2021/22. Electronic communication will become an increasingly integral part of service provision as we consider future opportunities for remote working and implement digital solutions, a key part of the NHS Long Term Plan.DSPT assessment is something to be undertaken each year to ensure alignment with evolving trends in data security.
- LinksContractors can register for the DSPT through Quality in Optometry or the DSPT website. Both feature resources providing support to contractors completing the DSPT.
Further support is also available from the NHS Digital helpdesk:
Telephone: 0300 303 4034
Email: exeter.helpdesk@nhs.net