We've noticed your using a old browser this may cause issuse when experincing our site. We recommend updating your browser here this provides the latest browsers for you to download. This just makes sure your experince our website and all others websites in the best possible way. Close

A date with data security – by Nicola Davies

by in Data, DSP Toolkit, Opinion

I got a little nudge yesterday from our Data Quality team to check on my progress with the DSP Toolkit – or to give it its proper name – ‘The Data Security and Protection Toolkit’. Rolls off the tongue doesn’t it?! This was previously known as the Information Governance Toolkit, but obviously we’d had that name for a little while and NHS Digital had nothing better to do so they thought they’d re-vamp it and change the headed paper. Where have I heard that before?

This latest toolkit is a fairly weighty tome of 10 key areas for data protection (everything from dealing with confidential data, to IT security, to process mapping of procedures). There are 28 ‘assertions’ and within those 28 assertions, 42 mandatory statements that must be completed, ticked off, sorted, signed and dealt with. Oh, and I forgot to say – additional, mandatory statements have been added to last year’s toolkit so before you think you’ve got it sussed, think again!

The first problem I have with this toolkit is the language it uses. Some of it (a very small part of it) is obvious – “When were your data security and protection policies updated?” – so far so good.

However, “annual IT penetration testing is scoped in negotiation between management, business and testing team” OK then, not quite sure! So, when you get to a statement like this where you probably need some background explanation, you can’t just click on the link and expect to get some help and advice, no, you have to go to the ‘Help’ document. Now, wouldn’t it be great if you had some sort of link to take you to exactly the right part of the ‘Help’ document to explain the aforementioned gobbledygook? Ha! Well, think again my friends.

The ‘Help’ Document loads as a page on top of your toolkit – so you can’t look at both at the same time. This very helpful ‘Help’ Document has nine sections, of which number six is the one with the useful information! It’s got what it calls ‘Big picture guides’ – stay with me – this has five areas to help you (with the 10 key areas, no I don’t understand either). So you click on one of those, take a chance on which one, and then finally you get an Adobe document of guidance. The first one, just to keep you interested, is 61 pages long, but that’s only for the first section on Personal Confidential Data – the other help guides are varying in length – all of which will no doubt ease my insomnia and have me reaching for the chocolate and gin.

During my review of the toolkit, I came across a statement about information flows and slowly worked out (with a lot of help) that it referred to a data mapping exercise. You have to think about how data (and specific data at that) comes in, goes round the surgery and goes out again and what risks there might be, how you can mitigate those risks etc. Very helpfully, my contact at Data Quality provided me with a spreadsheet as an example – there are 72 types of data flowing in and out of our surgeries at some point – 72!– and in order to complete a mandatory statement about data flows and mapping processes, I need to go through those 72 types of data and do the whole risk assessment.  That in itself is at least two days work – if you do absolutely nothing else at all on those two days. Who amongst us ever has a day like that, where they can focus on just one task?!

I calculated that to do all the necessary assessments, process maps and data checking would be a job in itself for one person – it would probably take them a month to do the whole toolkit properly. Now I haven’t got an IT person that I can offload this task to – we’re a very small practice, so it’s down to me to do it, which as you can imagine went down like a lilo at the end of summer season.

I’ve gone back to the Data Quality team to have a moan – I mean, what are the consequences if I don’t do the toolkit? Will the ICO be informed? Will my contracts be void? Will I finally lose the will to live and go and work at Tesco? Other supermarkets are available.

The sensible idea would be for someone at the CCG to do this work for us as a group of practices and share the data mapping spreadsheets, update our Information Governance Protocols etc – or, we could potentially as a network pay someone to do it for a smaller group of surgeries – and then we can tick the right boxes happy in the knowledge that we’ve done everything we need to do, but until I know what the consequences and penalties of NOT doing the job, I’m just going to sit tight.

Data security is massively important – we all need to know that our personal data and that which we hold is secure, protected, not open to cyber attack. However, if we’re going to do this, we’ve got to do it right – and not take a half-hearted approach, but yet again, we have another job foisted on us from on high – and whilst I get it, of course I understand the importance of it, the people on high who make the decisions have absolutely no flippin’ idea what we’re up against.

So I’m making a stand – sat down in my office! Are you with me?

Nicola Davies

Topics trending in the forum:

Receptionist pay rate
Member of the admin reading through confidential paperwork
GP registrars – what is their IT experience?

[Total: 3   Average: 5/5]
Nicola Davies

Nicola Davies

Practice Manager regularly ranting about the NHS. 35 years in Primary Care and still getting irritated by constant change for change sake!

View all posts by Nicola Davies
Flu clinics, weight loss and bicycles – by Nicola Davies

July 30, 2020

The Budget – what are we hoping for in general practice?

March 10, 2020

7 Responses to “A date with data security – by Nicola Davies”
  1. Avatar
    Julie Says:

    ooo dont say that Nicola. I work with half the GP practices in our area doing this. I’ve loved the work, getting out and about, it was like my old PCT job. If the CCG had done it I would have had a very boring year. To be fair, once the data flows are done they are pretty much the same for all practices within your area – that’s because you may be using different software for some processes therefore sharing with different companies. By the end of last year I was on version 12 of the data flows – a S1 one and an EMIS one and spent 1 day one the first DSP toolkit but got it down to 20 minutes by my last practice. It does make sense for 1 person to do it and share it. Some of those around are really difficult to update and change, I found a simple but huge spreadsheet worked for our area. Whoever had the bright idea of calling it an asset register (I cant get my head round calling someones address an asset )


    • Avatar
      Carol Witney Says:

      Hi Julie,

      Would you be prepared to share your wonderful documents on here so we can all adopt this for our own practice?


    • Avatar
      Nicola Davies Says:

      Hi Julie – thanks for your comments – as Carol says……useful to share!!

      I think the issue here is that lots and lots of PMs/IT bods in General Practice will be doing the same tasks for the same toolkit – and that makes absolutely no sense.

      If CCG/PCNs come together properly, this huge workload can be done much more efficiently…… I await the revolution!!
      Best wishes


  2. Avatar
    Alan Moore Says:

    Many years ago the NHS took over 100% of our IT function so why isn`t most of the DSP Toolkit being done by them/ NHSE/The CCG? The bits of it that the practice have any control over are straightforward to answer. I wonder what would happen if everyone responded with “no idea ask IT Support” in those sections? LOL


  3. Avatar
    Gerry Says:

    I was just about to embark on my “toolkit” but now feel myself sinking back into the mire whilst attempting the backstroke!!

    Maybe we should all stop seeing patients in practices and devote all our time to ticking boxes, filling out spreadsheets, documents and toolkits while conducting the myriad of training that seems to increase each year – don’t forget to attend meetings and compulsory CCG events either!

    Shelf stacking here I come!!! 🙂


  4. Avatar
    Tonia Says:

    I’m just glad we don’t have this in Wales – although with have the rather cumbersome IG Toolkit….as a fellow ranter thank you, at least I’m not alone!


  5. Avatar
    Jayne Says:

    I started our DSP Toolkit a couple of weeks ago, thinking most of would already completed from last year, but no, additions have been sneaked in, and it left me feeling rather glazed over and losing the will to live. I started to make a list of the information I needed to find, but reading the list back, it made no sense and I really didn’t understand half of what I was being asked for. I should point out I’ve worked in practice for 35 years, and 15 of them as PM, but the technical terms were a mystery. I need to regroup before I open it up again, perhaps on a day I’m feeling far too confident about life…..


Get in the know! Keeping practice managers updated and connected.

Subscribe to our FREE weekly email newsletter: