Lucy Rogers, Compliance Manager for award-winning software development company Helastel, discusses the complexities around the NHS’ DSP Toolkit, and why it’s vital for digital partners to get it right.
Sharing NHS data with the right sources could save millions of lives. Sharing it with the wrong sources can destroy them. Such is the tightrope facing the NHS as it struggles to realise the potential of its data whilst ring fencing it from threats.
The rich and detailed nature of medical data makes it invaluable for both benevolent and malign forces alike. Within the medical field, NHS data helps researchers develop treatments for life-altering conditions like cancer, diabetes, and heart disease; procurement teams can use it to help the NHS invest wisely; and analysts can ensure optimised management of resources that enables more patients to get treated. On the other side of the coin, NHS data can be used by thieves to sell on for profit, which will then be exploited by fraudsters to create false identities. In some cases this can result in the fraud victim experiencing serious legal repercussions down the line, having bailiffs turn up at their door, or realising their credit score has been ruined by illicit activity.
In fact, medical data is worth more on the black market than financial data, and in 2019-2020 data breaches affected the healthcare sector more than any other industry. These breaches are both intentional – ie hackers stealing personal details – and involuntary, where information was revealed through human error, such as medical letters addressed to the wrong recipient.
This data dichotomy played out earlier this year in the form of a government backlash against plans to share anonymised GP data with private companies. The General Practice Data for Planning and Research scheme was put on hold after 1,382,582 people declined to allow use of their data within its six-week opt-out grace period. Most were concerned about the security of the system, with data privacy campaigners claiming the data cloaking measures could be reversed, allowing malicious users to uncover identities.
The NHS’s data has the potential to revolutionise healthcare across the UK and enhance services for patients, so it is understandable why it wants to work with organisations to make the most of it. The privacy campaigners themselves will admit that the sharing of medical data has strong justification. It’s ensuring said data is adequately protected that concerns them.
The NHS does this through their DSP Toolkit, an online self-assessment tool that allows organisations to demonstrate compliance through practising good data security and information handling. This updated version replaced the previous Information Governance Toolkit in 2018, to reflect the enhanced data reporting requirements made necessary by the General Data Protection Regulation (GDPR), as well as the Networks and Information System (NIS) Regulations where relevant.
All organisations that have access to NHS patient data and systems must use this tool, and assessments must be completed annually to keep compliance in date. However, requirements & evidence can be tailored to your organisation type. In terms of compliance levels, the new toolkit does not feature levels 1, 2 and 3 as were part of the previous toolkit. To meet the new standard, organisations must respond to all evidence items which are identified as mandatory, and confirm the associated ‘assertions’. This is where having an in-house compliance manager and/or team comes in handy, as you can pull apart the in-depth assessment, and break down into relevant chunks.
To take an example, for companies developing medical software, everyone in the chain is required to fill in this assessment. For medical-adjacent companies such as software partners the process can be daunting, as some of the questions are tailored specifically around data within medical organisations. Firms outside of this sector have to think laterally around how to evidence analogous data protection. For this reason it helps to have a software partner who holds a current up to date certification and can help you work through the system if needs be.
One real boon for compliance managers in the move from Information Governance Toolkit to DSP Toolkit is the fact it now recognises overlapping compliance proofs such as the ISO27001 information security standard. If you load this evidence into the assessment it will auto-complete the sections relevant to this.
The central benefit of choosing a software partner with current DSP Toolkit approval is that they can begin working with you instantly. With 43 mandatory evidence items required, plus 36 confirmations of claims required, it’s an extensive assessment. And while submitters can expect to have their documentation reviewed within a few days, there is always the possibility of rejection, or a request for more evidence, which can derail project deadlines and tank partnerships within the early stages.
As the medical field develops its digital offering, the DSP Toolkit is becoming increasingly relevant for software builders. However, without a serious focus on data compliance from all stakeholders, this field will remain forever hamstrung. It’s vital that software developers do their part to ensure data privacy and minimise breaches to ensure technology is allowed to achieve its life saving potential.