Data Controllers and Data Processors
You must provide evidence of compliance with the minimum-security standards for data processers and data storage locations using one of the Assurances listed below:
1. Data Security and Protection Toolkit (DSPT)
The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
Further information on the DSPT is available in the help section.
This is the preferred method of assurance for DARS applications because:
- performance is measured against the National Data Guardian’s 10 data security standards
- the DSPT is an annual assessment - as data security standards evolve, the requirements of the Toolkit are reviewed and updated to ensure they are aligned with current best practice
- the DSPT also provides organisations with a means of reporting security incidents and data breaches
- organisations can use the DSPT to develop their Data Security Maturity
Organisation Type: Secondary Use Organisation (SUO)
This is an organisation that processes patient information for secondary purposes.
Large (non-hosted) organisations that make an application under Health and Social Care Act (Section 251) to the Health Research Authority (HRA) Confidentiality Advisory Group (CAG) or via the Data Access Request Service are required to complete a satisfactory DSP Toolkit assessment.
The DSPT standard for a SUO is a subset of the full standard. This set is known as the Category 3 evidence items; these can be found in the DSPT help section.
The DSPT Attainment Levels are
- Standards not Met (with an opportunity to agree an improvement plan)
- Standards Met
- Standards Exceeded
Where an Organisation attains Standards not Met and agrees an improvement plan this will be accepted where the improvement plan covers requirements that are considered low risk. Standards Met and Standards Exceeded are accepted.
All organisations that have access to NHS patient data and systems must use the DSPT to provide assurance that they are practising good data security and that personal information is handled correctly.
2. ISO27001 – Information Security Management System
For organisations that hold a valid ISO27001 certification this may be accepted for security assurance where the Scope and Statement of Applicability (SOA) include all the activity the Organisation will undertake in their role as Data Controller and/or Data Processor.
Where the ISO27001 certification includes a scope that would require reference to other standards in the ISO27k series these must be included in the Scope and SOA, for example Cloud Suppliers would be expected to include controls from:
- ISO27017 Information security controls for cloud computing
- ISO27018 Privacy controls for cloud computing
3. System Level Security Policy (SLSP)
In certain circumstances we may accept an SLSP for security assurance, in these cases the SLSP would be expected to provide a similar level of confidence that the National Data Guardian’s 10 data security standards are met.
You need to know which organisations are going to be acting as the data controller, the data processers, and the data storage locations. They must be based in the UK.