Last reviewed 20 March 2018

In April 2018, the Information Governance (IG) Toolkit will be replaced by a new Data Security and Protection (DSP) Toolkit which will become the standard for cyber and data security. This assurance framework is being introduced to ensure organisations are implementing security standards and meeting statutory obligations on both data protection and security. This was established alongside Dame Fiona Caldicott’s 10 data security standards which apply to all health and care organisations. Deborah Bellamy investigates.

The current IG Toolkit was produced by the Health and Social Care Information Centre (HSCIC). This online system enables health and social care organisations to assess themselves against best-practice information, governance policies and standards. Compliance with the IG Toolkit forms part of the assurance process that the integrity and confidentiality of patient data is protected and enables organisations to connect to the N3 network. Since November 2017, N3 has been replaced by Health and Social Care Network (HSCN), a new data network for health and care organisations.

The Care Quality Commission (CQC) will include data security as part of its inspections and assess organisations on how they are implementing the requirements, considering it to be part of the “Well Led” element of their inspections.

More information on the CQC inspection frameworks may be found at

Implementation dates

Key dates for the implementation of the DSP Toolkit are the following.

  • November 2017: new DSP Toolkit piloted with users.

  • February 2018: access to the new DSP Toolkit to consider the methods needed to implement the DSP Toolkit.

  • April 2018: further guidance will be available, and organisations will be required to complete the new DSP Toolkit.

  • May 2018: The EU General Data Protection Regulation (GDPR) and Security of Network and Information Systems Directive, come into force.

Leadership obligations

All general practices under General Medical Services (GMS) contracts, Personal Medical Services (PMS) contracts or Alternative Provider Medical Services (APMS) contracts, must fulfil these new requirements, some of which will be implemented by the commissioner of the GP IT and GP Information Governance Support Service (Clinical Commissioning Group (CCG) or NHS England Regional) on their behalf.

The actions GPs, CCGs and their commissioned GP IT Delivery Partner(s) are required to undertake to implement the 10 data security standards within general practice are clearly set out and the requirements are categorised under three leadership obligations: people, process and technology.
  1. Leadership obligation one — people
    1. Senior level responsibility

      Building on current practice obligations under the CCG-Practice Agreement to identify someone with lead responsibility for IT, each practice must have a named partner, board member or senior employee responsible for data and cyber security. As the commissioner for GP IT services, the CCG will be responsible for providing specialist support, however, individual practices remain accountable.

    2. Completing the Information Governance Toolkit v14.1

      It is recommended that practices attain level 2 as a minimum and each practice remains accountable and responsible for completing the current GP IG Toolkit until the DSP is instigated. Commissioned GP IG services will be available to support practices. Locally commissioned GP IT Delivery partners will also be contractually required to complete the current IG toolkit to a minimum of level 2 for their organisation and services delivered under the GP IT contract.

    3. Prepare for the introduction of the General Data Protection Regulation (GDPR) in May 2018

      The Beta version of the DSP Toolkit will help organisations understand what measure they need to take to implement GDPR, which comes into effect in May 2018.

    4. Training Staff:

      All staff must complete annual data security and protection training and practices should ensure the online training is available which replaces preceding IG training: if non-permanent staff have access to personal information they also need to complete annual training.

    More details may be found at
  2. Leadership obligation two — processes
    1. Organisations must act on CareCERT advisories

      • Identify a primary point of contact to receive and co-ordinate practices’ responses to CareCERT advisories providing information through CareCERT Collect. It has been acknowledged action might include accepting that an advisory is not relevant to individual organisations systems and affirming this is the case.

      • Verify within 48 hours that a plan has been formulated to act on high severity CareCERT advisories substantiating this through CareCERT Collect.

    2. Continuity planning

      Practices must maintain a business continuity plan incorporating the response to data and cyber security incidents. CCGs are obliged to ensure commissioned GP IT delivery partner(s) maintain business continuity and disaster recovery plans for services provided to practices.

    3. Reporting incidents:

      Each general practice is accountable for ensuring data security incidents and near misses are reported to CareCERT in agreement with national reporting guidance and legal requirements. Specialist support for GP cyber security incident reporting and management will be a function of the commissioned IT security and IG service.

  3. Leadership obligation three — technology
    1. Unsupported systems

      All organisations must ensure that:

        • unsupported systems are identified including: hardware, software and applications

        • there is a plan in place by April 2018 to remove, replace or actively mitigate and manage risks associated with unsupported systems.

        NHS Digital good practice guide on the management of unsupported systems can be found here.

    2. On-site assessments

      CCGs should ensure the commissioned GP IT delivery partner carries out onsite assessments. Practices must support such assessments and instigate an onsite cyber and data security assessment if requested to do so by NHS Digital, acting on the results and disclosing outcomes with commissioners. Practices must comply with agreed action plans.

      Where the systems and IT infrastructure process person identifiable data outside the scope of the CCG’s commissioned GP IT delivery service or GPSoC, then practices are accountable for assuring all requirements are met.

    3. Checking supplier certification

      Anyone commissioning or procuring IT systems, including general practices, CCG, GP IT delivery partners and NHS Digital (GPSoC) must ensure suppliers of IT services, infrastructure or systems have appropriate certification. CCGs will need to ensure there is access to specialist technical advice for IT procurement.

According to the type of service provided, Supplier Certification Frameworks will need to hold specific certification. It has been highlighted that in circumstances where a provider possesses certification the services they provide are not necessarily certified to the same level and it is recommended Cyber Essentials should be considered the minimum requirement.

At the end of the 2017/18 financial year, NHS Improvement will request for all providers to confirm they have implemented the requirements outlined in the DSP Toolkit. In the future, NHS Improvement will ensure data security is included in oversight arrangements.

Further information on the changes to the IG Toolkit may be found in the Department of Health document 2017/18 Data Security and Protection Requirements.