Data security and protection toolkit data collections service Direction

The purpose of the data security and protection toolkit is to provide a means for health and care organisations (or those providing services to NHS organisations) to measure their compliance against Data Protection legislation and the National Data Guardian’s Data Security Standards to see whether information they hold is handled correctly and protected from unauthorised access, loss, damage and destruction.

Where partial or non-compliance is revealed, organisations must take appropriate measures to raise standards. The aim is to demonstrate that the organisation can be trusted to maintain the confidentiality and security of information. This in-turn increases public confidence that the NHS and its partners can be trusted with their sensitive data.

The data security and protection toolkit is the successor framework to the information governance toolkit and draws together the legal rules and central guidance set out by the Department of Health and Social Care and presents them in a single standard. Relevant organisations are required to carry out self-assessments of their compliance against the assertions and evidence items contained within the data security and protection toolkit.

In accordance with section 260(2)(d) of the Act, NHS Digital is directed not to publish the data obtained by complying with the section 254 Direction except for a summary level of each organisations’ completed data security and protection toolkit which will be made available online to the public.

Under sections254(1), (2)(a), (5) and (6), and 260(2)(d) of the Health and Social Care Act 2012.

This Direction came into force on 1 May 2018.