Infinitic Consultancy

Menu

infinitic

How to Train Your Team on IG – Without Overloading Them

Leave a Comment / IG Toolkit /

One of the most overlooked requirements of the Data Security and Protection Toolkit (DSPT) is staff training. Every organisation that handles NHS data — from large GP Federations to small courier services — must ensure that staff are trained in information governance (IG) annually. It’s not just a tick-box activity. Staff understanding of confidentiality, data breaches, and secure handling of personal information is critical to service quality and regulatory compliance. The good news? It doesn’t have to be complicated. In this blog post, we’ll show: Why Training Matters for DSPT (and for CQC) The DSP Toolkit requires organisations to demonstrate that all staff with access to personal data have received IG training in the last 12 months. It’s also a Care Quality Commission (CQC) expectation. In inspections, CQC reviewers often ask: This applies to: Whether you’re a GP Federation, charity, local authority, or NHS supplier — training must be in place and trackable. Who Needs Training? Everyone in your organisation who: This includes: It’s not just frontline workers — senior managers and directors also need refresher training. What Should IG Training Cover? Training should be relevant to the tasks your team performs. The DSP Toolkit expects coverage of key areas, including: What Makes Good IG Training? ✅ Accessible The training should be in plain English, easy to follow, and available online or in print. ✅ Practical Use examples relevant to your setting — such as handling paper files in a care home, or secure referrals from a social prescribing service. ✅ Certificate-based Completion should generate a record or certificate. This provides your DSP Toolkit evidence and can be requested during CQC inspections. ✅ Refreshable Staff should repeat training every 12 months. New starters should be trained as part of induction — not after the fact. Challenges Organisations Often Face Many non-NHS providers struggle to train staff consistently due to: This is particularly true in: How to Make Training Easy To meet DSP Toolkit standards without overloading your team, consider these tips: 1. Use a Simple eLearning Platform There are purpose-built platforms that provide: Look for solutions specifically aimed at: 2. Adapt Training to Your Team One-size-fits-all doesn’t work. Use different formats: 3. Centralise Training Records Maintain a simple spreadsheet or dashboard showing: This becomes your evidence log for DSPT and inspections. 4. Include in Induction Every new team member should complete IG training as part of their onboarding. That includes contractors, agency workers, and volunteers. Example: Primary Care Subcontractor A business intelligence firm working under a PCN contract was accessing appointment and prescribing data. But: After implementing short-role-specific training with built-in reporting: Don’t Wait Until You’re Asked If you’re preparing for a DSP Toolkit submission, start by checking: If not, that’s the first action to take. Make IG Training a Habit, Not a Headache Training doesn’t have to be overwhelming. With the right tools and planning, even small providers or external contractors can meet DSP Toolkit standards and build confident, capable teams who protect patient data every day. Call to Action:🎓 Want to see what simple, effective IG training looks like? Get instant access to a demo module – no login needed.

How to Train Your Team on IG – Without Overloading Them Read More »

The Policies You Need for DSP Toolkit Success (Without Starting From Scratch)

Leave a Comment / IG Toolkit /

One of the most common pain points in completing the Data Security and Protection Toolkit (DSPT) is creating or updating the policies needed to support your answers. Many organisations either don’t know what policies are required or try to reuse outdated NHS Trust templates that don’t match their services. In this post, we’ll show you: Why Policies Matter for the DSP Toolkit The DSP Toolkit isn’t just about saying you protect data — it requires you to prove it. That means uploading or referencing actual documents that demonstrate: Without the right policies in place, your Toolkit submission may be marked as incomplete — or not meet the “Standards Met” threshold. The Core Policies You’ll Need Here’s a breakdown of the most commonly required policies, all of which should be reviewed annually and made accessible to staff. 1. Information Governance (IG) Framework This is your overarching document that explains: 2. Data Protection and Confidentiality Policy Covers how you handle: This policy should align with UK GDPR principles and include the lawful bases for your processing of NHS data. 3. Records Management Policy Sets out how you: This should reflect the NHS Records Management Code of Practice 2023. 4. Incident and Breach Reporting Procedure Details how your organisation: This policy must include how staff escalate concerns and timelines for reporting. 5. Staff Acceptable Use Policy (AUP) Outlines rules for: 6. Subject Access Request (SAR) Procedure Explains how individuals can request their personal information and how your organisation responds, including timeframes and responsibilities. Why Generic NHS Templates Don’t Work NHS Trust policies are often: As a result, many non-NHS providers either don’t use them or do so incorrectly, leading to compliance failures. Tailored Policies for Non-NHS Providers You don’t need to reinvent the wheel — but you do need documents that reflect how your organisation works. Examples of tailored policy needs: Each of these settings has different risks, responsibilities, and workflows — and your policies should reflect that. What Makes a Good DSPT Policy? To meet the DSP Toolkit standard, your policy should be: Where to Get Support Many organisations choose to use pre-written templates that are: By starting with templates like these, you can save hours of time and focus on implementation, not document drafting. Real-World Scenario: Community Health Charity A small charity providing mental health support under an NHS contract had no formal policies in place. They: With basic support, they: Policy Doesn’t Have to Be Painful Policy writing can feel overwhelming — especially when you’re running services, managing staff, and navigating contracts. But with the right resources, you can quickly implement policies that are not just legally compliant, but useful, understandable, and relevant to your team. Call to Action:📄 Need policy templates that actually work for your setting? Download our free Records Management Policy sample for care providers and external suppliers.

The Policies You Need for DSP Toolkit Success (Without Starting From Scratch) Read More »

Where Most Providers Struggle with the DSP Toolkit – And How to Fix It

Leave a Comment / IG Toolkit /

If you’re a care provider, GP Federation, charity, IT supplier, or subcontractor working with NHS data, you’ve likely heard of the Data Security and Protection Toolkit (DSPT). Completing it annually is mandatory — but many organisations struggle to get it right. In this post, we’ll look at the most common stumbling blocks and how to resolve them without delay, even if you don’t have a dedicated information governance team. Understanding the Problem: It’s Not Just a Tick-Box Exercise The DSP Toolkit is designed to help organisations prove they are protecting NHS data appropriately. It’s more than a form — it’s a full self-assessment across key areas of data protection, confidentiality, cyber security, and staff training. Yet, the majority of problems we see fall into just a few predictable categories — and they’re often the same, whether you’re a: Common Areas Where Providers Struggle 1. No Named Information Governance (IG) Lead Every organisation completing the Toolkit must identify someone with overall responsibility for information governance. Why it matters:Without a named lead, there’s no accountability or ownership. Many organisations simply default to the registered manager or business director — which is fine, but only if they understand the role. Fix:Nominate a lead formally, add the role to their job description, and provide them with basic IG training and support resources. 2. Missing or Outdated Policies Many providers either have no written policies or rely on outdated ones pulled from unrelated NHS templates. Commonly missing documents: Fix:Use tailored templates written for smaller organisations. Avoid over-complex language. All staff should be able to understand what the policy means in their day-to-day work. 3. Training Gaps and No Evidence of Completion The DSP Toolkit requires evidence that staff receive annual training on data protection and IG. Unfortunately, many providers: Fix:Set up simple online training modules with automated certificates. Keep a training log with names, dates, and module titles. If you’re a charity or subcontractor, ensure volunteers or temporary staff are included. 4. No Records of Risk Assessments or DPIAs A Data Protection Impact Assessment (DPIA) is required when introducing new services, IT systems, or processes involving personal data. Most small providers miss this completely. Example risks: Fix:Have a DPIA template ready. Keep a log of completed assessments, even if the result shows “low risk.” 5. Unclear Roles Between Commissioners and Subcontractors Many organisations operate as subcontractors under NHS or local authority contracts. But responsibility for data protection is shared, and some mistakenly assume the “main contractor” will handle everything. Fix:Clarify roles in contracts or data sharing agreements. All parties — even secondary subcontractors — must complete the DSP Toolkit independently if they process NHS patient data. Real-World Example: A Small Social Care Provider A supported living provider commissioned by the ICB was unaware they needed to complete the DSP Toolkit. They had: Within four weeks of support: How a Gap Analysis Can Help A professional gap analysis is one of the fastest and most efficient ways to fix these issues. It tells you: You’ll get: It’s especially useful for: Don’t Let Compliance Gaps Become Contract Risks Commissioners, NHS partners, and CQC expect providers to demonstrate robust data handling. Non-compliance with the DSP Toolkit is no longer tolerated as a minor issue — it could affect future funding, contracts, or regulatory ratings. Take Action Today Most organisations struggle with the same issues — and the good news is, they can all be fixed with the right support. Even if you’re not an NHS body, if you handle NHS data, you’re responsible for managing it safely, securely, and in line with UK law. Call to Action:📋 Want to know where your organisation stands? Download our free DSPT gap-check template to get started.

Where Most Providers Struggle with the DSP Toolkit – And How to Fix It Read More »

What Is the DSP Toolkit – and Why It Matters for Your Organisation

IG Toolkit /

The Data Security and Protection Toolkit (DSPT) is the official self-assessment tool for all organisations that access or process NHS patient data. Whether you’re a care provider, GP Federation, charity, public health team, or an IT supplier, completing the DSP Toolkit annually is not optional — it’s a requirement. In this guide, we’ll break down: What is the DSP Toolkit? The DSP Toolkit is an online self-assessment developed by NHS England and the Department of Health and Social Care. It helps ensure that health and care organisations are meeting the standards for: By completing the Toolkit, organisations demonstrate that they are handling NHS data securely, lawfully, and transparently — which is essential for patient trust, legal compliance, and ongoing NHS relationships. Who Needs to Complete the DSP Toolkit? If your organisation accesses, stores, processes, or transmits NHS patient data — even occasionally — you must complete the DSP Toolkit. This includes: Even if you are not directly employed by the NHS, if you handle NHS data — you’re within scope. Why Does It Matter? The DSP Toolkit is a condition of the NHS Standard Contract. For subcontractors and commissioned services, it’s often written into agreements, funding terms, or Service Level Agreements (SLAs). Failing to complete the Toolkit can result in: Some NHS organisations now refuse to engage with external providers who haven’t met the ‘Standards Met’ status in the DSP Toolkit — especially for IT, analytics, or records services. What’s in the Toolkit? The Toolkit includes a series of evidence-based questions that cover: You must upload or reference actual evidence — not just say “we do this.” For example: But We’re Only a Small Organisation… The NHS recognises that one size doesn’t fit all. The DSP Toolkit has different levels of requirement depending on your organisation type. For example, a small care home won’t be expected to meet the same evidence threshold as an NHS Trust or large IT contractor. However, all organisations are expected to show: Even if you only handle a small volume of NHS data, the expectation is that any handling of patient information is done securely. How to Make It Easier: The Easy Compliance Approach Many smaller providers, charities, and external contractors struggle with the DSP Toolkit because they don’t have a dedicated Information Governance (IG) lead or in-house compliance resources. That’s why some choose a simplified support model: This ensures that you stay compliant — without being overwhelmed by jargon or NHS documentation. What Happens After You Submit? Once your submission is complete, your Toolkit will be publicly visible via the DSPT portal. Commissioners and NHS bodies can search and confirm your status, which may influence future contracting decisions. You’ll need to: Don’t Let Compliance Hold You Back The DSP Toolkit isn’t just a form — it’s a legal and ethical obligation for anyone handling NHS data. But it doesn’t have to be difficult or time-consuming. With the right support, even the smallest provider or subcontractor can meet their requirements and continue working safely and confidently with the NHS. Call to Action:👉 Need help navigating the DSP Toolkit? Download our free gap-check checklist or contact us for support tailored to your organisation.

What Is the DSP Toolkit – and Why It Matters for Your Organisation Read More »

Impact of the GDPR to Companies: Data Breach Notification

GDPR Compliance /

The new EU General Data Protection Regulation (GDPR) makes it mandatory for organisations to notify the EU member state’s Data Protection Supervisory Authority (DPA) and, in some cases, affected data subjects in the event of a personal data breach. This specific GDPR requirement to notify makes it imperative for organisations to make sure they have effective incident reporting and investigation policies and procedures for personal data breaches that are understood and implemented by their staff. The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” However, under the GDPR, notification is not required if a personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.  This means the organisation may have an opportunity to review, consider or argue the necessity of notifying a data breach, but, all this must be done within the 72 hour deadlines. In order to comply with the data breach notification obligation, organisations that process personal data of EU citizens should ensure that they have appropriate and effective corporate incident management and investigation policies with clear internal procedures and guidelines on identifying and reporting security breaches and carrying out root cause analyses. Under the GDPR, data controllers must notify the supervisory authority without delay and, where practicable, not later than 72 hours after having become aware of the incident. A personal data breach notification delay of more than 72 hours will have to be well justified. The notification to the DPA should at the minimum contain the following information: If the information above is not available immediately within 72 hours, it may be provided after the data breach notification. Data processors do not have an obligation to notify data breaches to the DPA but must notify the data controller immediately for the data controller to take the necessary actions. The GDPR offers guidance on required security standards; data controllers are obliged to ensure that their data processors have sufficient guarantees of adequate and appropriate security safeguards to protect personal data and to protect the rights of data subjects. Organisations will need to implement effective policies and procedures to comply with the GDPR data breach obligations. Staff must be made aware of the organisation’s procedures and processes and must be appropriately trained to ensure they are able to identify and report data breaches. DPOs must be able to investigate data breaches and carry out a root cause analysis for each incident to ensure lessons are learned and recurrence of incidents is avoided. For the organisation’s incident management policies and procedures to be effectively implemented, the organisation needs to develop a culture that encourages staff to report incidents.  The whole incident management processes must be treated as a learning exercise rather than an exercise to apportion blame and liability for internal discipline. The following are the key steps that organisations must make to ensure compliance with the GDPR data breach obligations;

Impact of the GDPR to Companies: Data Breach Notification Read More »

Impact of the GDPR to Companies: The mandatory DP Officer

GDPR Compliance, Information risk, Our Blogs /

The GDPR requires organisations to appoint or designate a data protection officer with responsibilities to inform and advise the organisation about compliance with GDPR obligations and other data protection laws. The DPO requirement applies to both data controllers and data processors. The DPO will also be responsible for monitoring the organisation’s compliance with the GDPR, managing internal data protection activities and carrying out data protection impact assessments ensuring that the organisation has access to effective advice on data protection risks and issues. The DPO must be the organisation’s main contact for the supervisory authorities and for individuals whose data is processed and also has responsibilities for staff data protection training, staff advice and carrying out internal audits. DPOs are expected to have expert knowledge of data protection law and practices and the level of knowledge should be determined by the type or level and volume of the organisation’s personal data processing and protection required for the personal data being processed. The GDPR does not specify the qualifications a data protection officer should have; however, the GDPR requires that the DPO have professional experience and knowledge of data protection law and should be proportionate to the type of processing the organisation carries out. The GDPR does not put a limit on the size of companies that should appoint DPOs. It states that DPOs must be appointed for all public authorities and by organisations whose core activities involves  “regular and systematic monitoring of data subjects on a large scale” or where high volume  processing of  special categories of personal data as defined in the GDPR e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, etc. takes place. Reporting Arrangements and Seniority of DPOs The GDPR defines the minimum tasks of the DPO in Article 39. It states that the DPO must be responsible for reporting to the highest management level of the organisation which basically means they must be a board level member of the organisation or equivalent. One of the fundamental aspects of the role of the DPO in the organisation is that they must be allowed to operate independently and cannot be dismissed or penalised for performing their task. This removes the element of bias in the DPOs role as an advisor to the organisation and ensures that they operate without any conflict of interests and can be able to challenge decisions that are not compatible with the GDPR and other data protection legislation at a very senior level in the organisation. The GDPR also requires that adequate resources are provided to enable DPOs to meet their GDPR obligations and the DPO role can also be allocated to existing members of staff in an organisation as long as their professional duties are compatible with duties of the DPO as specified in the GDPR i.e. the DPO must be allowed to work independently and should not have any conflict of interests. Organisation that do not wish to employ a full time DPO may externally  contract out the DPO role as long as the governance arrangements enable staff to have the DPO readily available for advice to staff and senior management. The DPO requirements set out in the GDPR must fully be complied with and the appointment of the DPO must not be seen as tick-box exercise or a superficial way of complying with the regulations. Operational effectiveness and understanding of data protection legal requirements is what the organisation should be getting from the DPO. Organisations may also want to consider appointing a DPO with good understanding of information risk management which is essential in the ever changing cyber security environment. DPO should be able to identify and anticipate threats to personal data and be able to review and assess the vulnerabilities of the organisation’s systems and other information assets.

Impact of the GDPR to Companies: The mandatory DP Officer Read More »

Impact of the GDPR to Companies: Consent Requirements

Data Protection, Data Sharing, GDPR Compliance /

Consent was one of the robustly argued subjects during the drafting of the GDPR and remains a lawful basis for processing, transfer or disclosure of personal data under the GDPR. The GDPR sets a very high standard for consent by clearly defining consent as: “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;” The major change under the GDPR is that consent must be unambiguous to be valid, meaning,  data subjects should clearly express agreement or make a statement that clearly says “yes” to the actual processing of their personal data for a specific purpose. This may be by clicking/ticking in a box or actually selecting settings or making a clear declaration. Consent will also be considered valid where a data subject also acts in a clear way which expresses or affirms their consent. Even though the GDPR does not require explicit consent for all types of data processing, it makes it clear that “silence, pre-ticked boxes or inactivity should therefore not constitute consent.” The GDPR requires explicit consent only for processing sensitive personal data but “unambiguous” consent will suffice for non-sensitive data permitting organisation to use implied consent to some degree if a data subject’s actions are clearly and adequately indicative of their agreement to specific data processing. The fundamental challenge that organisations face with the new GDPR consent requirements is the requirement of organisational accountability and providing proof of consent. The GDPR requires the data controller to be “able to demonstrate that consent was given by the data subject to the processing of their personal data” meaning data controllers can no longer rely on implicit or “opt-out” forms of consent in some cases but will need to show that the data subject indicated their agreement by form of a “statement or clear affirmative action”. Organisations face the difficult task of ensuring that they review the way consent is recorded and ensuring that data subjects are adequately informed and agree to the processing of their personal data. It is no longer sufficient to just record that an individual has ticked a box, organisations will need to keep records and audit trails that shows that data subjects have been fully informed by way of notices etc. and freely agreed to their data to be processed for a specific purpose. Failure by a data controller to verify consent records may lead to a breach of the GDPR requirements for legal consent and exposes the organisation to a risk of enforcement for processing personal data without a lawful basis. Any infringements of the basic principles of personal data processing under GDPR  “including conditions for consent” can be subject to huge financial penalties for organisations,  which may be up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide turnover of the preceding financial year, whichever is higher. This makes documenting consent one of the important actions to take for organisations to comply with the GDPR. Infinitic Compliance Services can help your organisation carry-out risk assessment and ensure you are prepared for the GDPR.  Our consultants can help you develop processes and systems that enable your organisation to record proof of consent. Please contact us if you require help with developing effective and GDPR compliant consent processes.

Impact of the GDPR to Companies: Consent Requirements Read More »

NHS Providers Told to Implement New Data Security Standards

IG Toolkit /

The Department of Health (DH) has confirmed that the NHS IG Toolkit will be replaced by the new NHS Data Security and Protection Toolkit (DSP Toolkit) from April 2018. This is confirmed in a guidance document published this week by DH and NHS England to outline the 2017-18 requirements for organisations providing NHS services to implement the National Data Guardian (NDG) recommendations on NHS data security standards. The new DSP Toolkit will replace the NHS Information Governance Toolkit from April 2018 and will be used for measuring progress in implementing the NDG ten data security standards and compliance with data protection legislation from April 2018.The new NHS data security standards and the 2017/18 DH requirements, apply to all NHS Providers and the Care Quality Commission (CQC) will now  consider how organisations are assuring themselves that the requirements outlined in the guidance have been implemented. At the end of the 2017/18 financial year, NHS Improvement will also ask NHS providers to confirm that they have implemented the NHS data security standards. The DH guidance document sets out the steps all health and care organisations will be expected to take in 2017/18 to demonstrate that they are implementing the NHS data security standards. All organisations providing NHS services under the NHS Standard contract must now comply with the requirements set out in the document to meet their contractual obligations on data security and protection as laid out in NHS Standard Contract. General Practices and Practitioners, contracted to provide primary care essential services to a registered list under the NHS standard General Medical Services (GMS) contract (or Personal Medical Services (PMS) or Alternative Provider Medical Services (APMS) contracts), must also comply with the requirements set out in the document, as part of the data security and protection requirements set out in their contract. Essentially all Providers  in England including GP Practices are required to have a senior manager or Board member responsible for data security to comply with the new NHS data security standards. The DH guidance also comes with a requirement for all staff to complete appropriate annual data security and protection training. This training is available online at from e-Learning for Healthcare. For 2017/18, organisations are still required to achieve at least level two on the current Information Governance Toolkitbefore it is replaced with DSP Toolkit from April 2018/19 onwards.

NHS Providers Told to Implement New Data Security Standards Read More »

ICO Publishes Guide For GDPR Compliance

GDPR Compliance /

The UK Information Commissioner’s office has published a 12 step guide to help organisations prepare for the EU General Data Protection Regulation (GDPR). The guidance outlines 12 steps that organisations need to follow to ensure their processes, systems and policies comply with the new regulation.The ICO has indicated that it will set out its plans to produce new guidance and other tools to assist organisations to prepare for the GDPR  over the next few months. The ICO will also be working closely with trade associations and bodies representing the various sectors to facilitate sector based implementation of the GDPR. Accountability is a key issue within the GDPR and organisations that process personal data must ensure that they have documented policies, procedures and processes articulating how they manage or comply with data protection requirements and legislation as an organisation. Data Controllers will no longer be required to register their processing activities with the ICO but will face strict requirements to maintain comprehensive records of their processing. Some data controllers and processors will be required to designate a Data Protection Officer (DPO) as part of their accountability programme. This is particularly where the data controller or processor’s core activities consist of processing special categories of personal data on a large scale. The GDPR still imposes the burden for data protection on data controllers. A lot of the work for organisations that wish to comply with the GDPR will go into reviewing data flows and determining lawful basis for each data flow and reviewing procedures for individuals’ rights to ensure they cover all the rights individuals have, including organisation’s procedure for deleting personal data ensuring that personal data can be provided electronically and in a commonly used format. Organisations may also need to review arrangements for sharing data with other organisations to ensure contracts are fit for purpose and meet the requirements of the GDPR. The GDPR contains more detailed requirements for the data controller-processor relationship. This means most data controllers will need to review their data processor contracts as data processors have additional duties under the GDPR and are liable for non-compliance with their contractual obligations or for acting outside the data processing authority granted by a controller. ICO checklist is a good starting point for working out areas that your organisation may need to address to comply with GDPR. The ICO checklist effectively highlights the differences between the current Data Protection Act and the GDPR making it easier for organisations to identify gaps and areas of risk. A copy of the GDPR guidance is available at: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

ICO Publishes Guide For GDPR Compliance Read More »