Skip to main content

Using professional judgement

The 10 ‘Big Picture Guides’ are not exhaustive. They will not cover every eventually and professional judgement will be required in how the standard is met (and audited). 

Page contents

Guidance is vendor agnostic. You may have an excellent vendor-supplied system which is not referred to in the guides. That is not to discount such a system, which should be implemented on its merits. 

The required standards have to be achievable to those whose digital maturity is still 'developing'. As a consequence, some of the measures outlined could be seen as quite manual. This does not mean that more sophisticated measures cannot be implemented.

Audit 

Large NHS organisations (NHS trusts, clinical commissioning groups, integrated care communities and arm’s length bodies) must undertake an audit/independent assessment of their Data Security and Protection Toolkit (DSPT) self-assessment each year. This must be conducted in accordance with guidance to ensure a consistent and effective process. 

At times the big picture guides may go further than the audit guides and vice versa. In most cases the National Data Guardian (NDG) standards/DSPT requirements do not prescribe a single possible solution. The divergence of guides is either following an implementation theme to the end or the next logical audit artefact.  

When implementing or auditing, please have regard to the intent of the DSPT evidence, assertions, and ultimately the whole 10 data security standards themselves. It is not the intention of the DSPT to create tick lists of items to be implemented and audited that bear little resemblance to actual practice.

GDPR and language 

This guidance is not designed to be an authoritative single source of truth on all things General Data Protection Regulation (GDPR) related but does explain the DSPT assertion requirements and the questions they pose. 

It should be noted that the DSPT uses the same language as the NDG's review (see Useful resources) for information that requires confidentiality and protection and not necessarily the terminology of GDPR such as special category data. 

This is due in part to the review predated GDPR but also a recognition that in health and care there is more than just patient/service user’s information that should be confidential and protected.

The DSPT also deliberately avoids quoting article numbers from legislation to be help understanding with the widest possible audience. Consequently, they are also used sparingly in this guide.

Last edited: 24 January 2022 4:05 pm