Data sharing standard 2a - Security Assurance

1. All data controllers and data processors must provide evidence of adequate security assurance which is one of

1. Data Security and Protection Toolkit (DSPT) meeting the following conditions:
   1. Organisation code must be provided;
   2. The organisation must either have completed the latest available version of the DSPT assessment or must have produced the previous version of the DSPT within the last 12 months and the assessment must not have exceeded its expiry date;
   3. The self-assessment outcome must be ‘Standards Met’ or ‘Standards Exceeded’ or, if not, an improvement plan must have been reviewed and approved by NHS Digital;
   4. If an improvement plan has been agreed, the Data Sharing Agreement must include special conditions requiring the organisation to carry out improvements (as stipulated in the review) within an agreed time frame determined based on the assessment findings and the organisation’s remediation plan;
   5. If identifiable data is to be provided to or to be released from NHS Digital, NHS Digital must have reviewed the latest DSPT self-assessment and confirmed standards are met or the DSA must contain a special condition covering a future review;
   6. If identifiable data has previously been provided to or released from NHS Digital on the basis of support under section 251 of the NHS Act 2006 and self-assessment outcome is not ‘Standards Met’ or ‘Standards Exceeded’, specific approval for the retention and/or reuse of the data must have been given by NHS Digital and this must be detailed in the DARS application.
2. System level security policies which must be reviewed and agreed by NHS Digital security team as relevant and appropriate to the application
3. ISO 27001 certification which must have been reviewed and approved by the security team as relevant and appropriate to the application

2. All locations stated in respect of the organisation(s) must be covered by that organisation(s) security policy.

3. Applications involving the use of cloud storage will be subject to additional scrutiny and assessment.  In respect of the cloud storage provider, the following apply:

1. The cloud provider must use UK-based data centres only and data must not be accessible outside of the UK;
2. The applicant must provide evidence to support:
   1. The use of the Data Risk Model to assess the Risk Profile Class;
   2. Risk Management of the use of the Cloud for this data, taking into consideration Confidentiality, Integrity and Availability;
   3. The use of Pseudonymisation;
   4. Board level involvement in the Risk Management Process evidenced through Minutes of these meetings;
   5. Understanding of the Shared Responsibility Model
3. Applications involving cloud storage will only be approved when NHS Digital is satisfied that sufficient assurance has been provided based on a case-by-case assessment.