IG Toolkit

If you’re a care provider, GP Federation, charity, IT supplier, or subcontractor working with NHS data, you’ve likely heard of the Data Security and Protection Toolkit (DSPT). Completing it annually is mandatory — but many organisations struggle to get it right. In this post, we’ll look at the most common stumbling blocks and how to resolve them without delay, even if you don’t have a dedicated information governance team. Understanding the Problem: It’s Not Just a Tick-Box Exercise The DSP Toolkit is designed to help organisations prove they are protecting NHS data appropriately. It’s more than a form — it’s a full self-assessment across key areas of data protection, confidentiality, cyber security, and staff training. Yet, the majority of problems we see fall into just a few predictable categories — and they’re often the same, whether you’re a: Common Areas Where Providers Struggle 1. No Named Information Governance (IG) Lead Every organisation completing the Toolkit must identify someone with overall responsibility for information governance. Why it matters:Without a named lead, there’s no accountability or ownership. Many organisations simply default to the registered manager or business director — which is fine, but only if they understand the role. Fix:Nominate a lead formally, add the role to their job description, and provide them with basic IG training and support resources. 2. Missing or Outdated Policies Many providers either have no written policies or rely on outdated ones pulled from unrelated NHS templates. Commonly missing documents: Fix:Use tailored templates written for smaller organisations. Avoid over-complex language. All staff should be able to understand what the policy means in their day-to-day work. 3. Training Gaps and No Evidence of Completion The DSP Toolkit requires evidence that staff receive annual training on data protection and IG. Unfortunately, many providers: Fix:Set up simple online training modules with automated certificates. Keep a training log with names, dates, and module titles. If you’re a charity or subcontractor, ensure volunteers or temporary staff are included. 4. No Records of Risk Assessments or DPIAs A Data Protection Impact Assessment (DPIA) is required when introducing new services, IT systems, or processes involving personal data. Most small providers miss this completely. Example risks: Fix:Have a DPIA template ready. Keep a log of completed assessments, even if the result shows “low risk.” 5. Unclear Roles Between Commissioners and Subcontractors Many organisations operate as subcontractors under NHS or local authority contracts. But responsibility for data protection is shared, and some mistakenly assume the “main contractor” will handle everything. Fix:Clarify roles in contracts or data sharing agreements. All parties — even secondary subcontractors — must complete the DSP Toolkit independently if they process NHS patient data. Real-World Example: A Small Social Care Provider A supported living provider commissioned by the ICB was unaware they needed to complete the DSP Toolkit. They had: Within four weeks of support: How a Gap Analysis Can Help A professional gap analysis is one of the fastest and most efficient ways to fix these issues. It tells you: You’ll get: It’s especially useful for: Don’t Let Compliance Gaps Become Contract Risks Commissioners, NHS partners, and CQC expect providers to demonstrate robust data handling. Non-compliance with the DSP Toolkit is no longer tolerated as a minor issue — it could affect future funding, contracts, or regulatory ratings. Take Action Today Most organisations struggle with the same issues — and the good news is, they can all be fixed with the right support. Even if you’re not an NHS body, if you handle NHS data, you’re responsible for managing it safely, securely, and in line with UK law. Call to Action:📋 Want to know where your organisation stands? Download our free DSPT gap-check template to get started.

The Department of Health (DH) has confirmed that the NHS IG Toolkit will be replaced by the new NHS Data Security and Protection Toolkit (DSP Toolkit) from April 2018. This is confirmed in a guidance document published this week by DH and NHS England to outline the 2017-18 requirements for organisations providing NHS services to implement the National Data Guardian (NDG) recommendations on NHS data security standards. The new DSP Toolkit will replace the NHS Information Governance Toolkit from April 2018 and will be used for measuring progress in implementing the NDG ten data security standards and compliance with data protection legislation from April 2018.The new NHS data security standards and the 2017/18 DH requirements, apply to all NHS Providers and the Care Quality Commission (CQC) will now  consider how organisations are assuring themselves that the requirements outlined in the guidance have been implemented. At the end of the 2017/18 financial year, NHS Improvement will also ask NHS providers to confirm that they have implemented the NHS data security standards. The DH guidance document sets out the steps all health and care organisations will be expected to take in 2017/18 to demonstrate that they are implementing the NHS data security standards. All organisations providing NHS services under the NHS Standard contract must now comply with the requirements set out in the document to meet their contractual obligations on data security and protection as laid out in NHS Standard Contract. General Practices and Practitioners, contracted to provide primary care essential services to a registered list under the NHS standard General Medical Services (GMS) contract (or Personal Medical Services (PMS) or Alternative Provider Medical Services (APMS) contracts), must also comply with the requirements set out in the document, as part of the data security and protection requirements set out in their contract. Essentially all Providers  in England including GP Practices are required to have a senior manager or Board member responsible for data security to comply with the new NHS data security standards. The DH guidance also comes with a requirement for all staff to complete appropriate annual data security and protection training. This training is available online at from e-Learning for Healthcare. For 2017/18, organisations are still required to achieve at least level two on the current Information Governance Toolkitbefore it is replaced with DSP Toolkit from April 2018/19 onwards.