Hello my name is Tracy and I work as a senior case officer in the Data Access request service team.
This video is one of a series of presentations designed to help you use our Data Access Request Service (DARS) as effectively as possible.
You can view the other videos in this series on our Youtube channel using the following link: www.youtube.com/user/HSCIC1
NHS Digital has published a number of standards in relation to how we assess applications for data from NHS Digital. These are designed to be transparent and to help you in completing the relevant section of your online application for data.
This presentation will provide detail on the agreed standard for completing the following section of the application: Security Assurance
NHS Digital has a duty to ensure that the data you are requesting is held securely, therefore we will seek evidence of appropriate security assurance of all Data Controller and Data Processor organisations listed in your application. The type of evidence provided may vary across organisations.
The security policy will need to cover all locations stated in respect of that organisation(s) and should include any secondary back up locations, such as disaster recovery sites
This presentation describes the suitable evidence that you might provide to demonstrate that your organisation has appropriate security assurance in place
The first type of suitable security assurance could be evidence that you have completed the Data Security and Protection Toolkit (DSPT) which has now replaced the Information Governance Toolkit.
If you have already completed your Data Security and Protection Toolkit you will need to enter the date that it was published in the comments field of the security assurance section for each of the data controllers and data processors listed within your application.
If you haven’t yet completed the Data Security and Protection Toolkit assessment and it has been less than 12 months since you submitted the last years iteration of the IG toolkit, you may still be relying on the IG Toolkit as evidence of adequate security assurance.
Where you are still relying on the IG Toolkit you will be required to provide the following information as evidence:
The Organisation code
The most recent score - which should be satisfactory.
If your most recent score is not satisfactory then we will arrange for this to be reviewed by the NHS Digital security assurance team to confirm that it is adequate for the processing and use of the data requested.
An appropriate special condition will be added to your Data Sharing Agreement by your case officer, dependent on the Toolkit version that has been completed, stating that the Data Security and Protection Toolkit must be completed within a given timeframe.
If identifiable data is being provided to or being released from NHS Digital as part of your request then we will seek additional approval from the NHS Digital security team to confirm that adequate security is in place which covers the processing and use of identifiable data.
If you intend to rely on ISO27001 as evidence of your organisation’s security assurance you need to provide a copy of the certificate, which relates to the processing and use of data, for verification.
The certificate must also cover all specified locations listed in your application for the processing of data.
System Level Security Policies are currently being phased out as evidence of suitable security assurance and you are encouraged to complete the Data Security Protection Toolkit (DSPT)
However, if you do rely on a System Level Security Policy (SLSP) as evidence of adequate security assurance, you will be required to provide copies of the policies for review by NHS Digital’s security assurance team to ensure that it is relevant and appropriate to the application you are making.
When submitting your application via DARS online you will be asked to provide detail of security assurance for each of the organisations that you have listed as a Data Controller or Data Processor
Thank you for listening. We would welcome feedback on this presentation, if you would like to provide feedback then please email us at firstname.lastname@example.org .