I got a little nudge yesterday from our Data Quality team to check on my progress with the DSP Toolkit – or to give it its proper name – ‘The Data Security and Protection Toolkit’. Rolls off the tongue doesn’t it?! This was previously known as the Information Governance Toolkit, but obviously we’d had that name for a little while and NHS Digital had nothing better to do so they thought they’d re-vamp it and change the headed paper. Where have I heard that before?
This latest toolkit is a fairly weighty tome of 10 key areas for data protection (everything from dealing with confidential data, to IT security, to process mapping of procedures). There are 28 ‘assertions’ and within those 28 assertions, 42 mandatory statements that must be completed, ticked off, sorted, signed and dealt with. Oh, and I forgot to say – additional, mandatory statements have been added to last year’s toolkit so before you think you’ve got it sussed, think again!
The first problem I have with this toolkit is the language it uses. Some of it (a very small part of it) is obvious – “When were your data security and protection policies updated?” – so far so good.
However, “annual IT penetration testing is scoped in negotiation between management, business and testing team” OK then, not quite sure! So, when you get to a statement like this where you probably need some background explanation, you can’t just click on the link and expect to get some help and advice, no, you have to go to the ‘Help’ document. Now, wouldn’t it be great if you had some sort of link to take you to exactly the right part of the ‘Help’ document to explain the aforementioned gobbledygook? Ha! Well, think again my friends.
The ‘Help’ Document loads as a page on top of your toolkit – so you can’t look at both at the same time. This very helpful ‘Help’ Document has nine sections, of which number six is the one with the useful information! It’s got what it calls ‘Big picture guides’ – stay with me – this has five areas to help you (with the 10 key areas, no I don’t understand either). So you click on one of those, take a chance on which one, and then finally you get an Adobe document of guidance. The first one, just to keep you interested, is 61 pages long, but that’s only for the first section on Personal Confidential Data – the other help guides are varying in length – all of which will no doubt ease my insomnia and have me reaching for the chocolate and gin.
During my review of the toolkit, I came across a statement about information flows and slowly worked out (with a lot of help) that it referred to a data mapping exercise. You have to think about how data (and specific data at that) comes in, goes round the surgery and goes out again and what risks there might be, how you can mitigate those risks etc. Very helpfully, my contact at Data Quality provided me with a spreadsheet as an example – there are 72 types of data flowing in and out of our surgeries at some point – 72!– and in order to complete a mandatory statement about data flows and mapping processes, I need to go through those 72 types of data and do the whole risk assessment. That in itself is at least two days work – if you do absolutely nothing else at all on those two days. Who amongst us ever has a day like that, where they can focus on just one task?!
I calculated that to do all the necessary assessments, process maps and data checking would be a job in itself for one person – it would probably take them a month to do the whole toolkit properly. Now I haven’t got an IT person that I can offload this task to – we’re a very small practice, so it’s down to me to do it, which as you can imagine went down like a lilo at the end of summer season.
I’ve gone back to the Data Quality team to have a moan – I mean, what are the consequences if I don’t do the toolkit? Will the ICO be informed? Will my contracts be void? Will I finally lose the will to live and go and work at Tesco? Other supermarkets are available.
The sensible idea would be for someone at the CCG to do this work for us as a group of practices and share the data mapping spreadsheets, update our Information Governance Protocols etc – or, we could potentially as a network pay someone to do it for a smaller group of surgeries – and then we can tick the right boxes happy in the knowledge that we’ve done everything we need to do, but until I know what the consequences and penalties of NOT doing the job, I’m just going to sit tight.
Data security is massively important – we all need to know that our personal data and that which we hold is secure, protected, not open to cyber attack. However, if we’re going to do this, we’ve got to do it right – and not take a half-hearted approach, but yet again, we have another job foisted on us from on high – and whilst I get it, of course I understand the importance of it, the people on high who make the decisions have absolutely no flippin’ idea what we’re up against.
So I’m making a stand – sat down in my office! Are you with me?
Topics trending in the forum: