NHS Data Security and Protection Toolkit
The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that institutions who are accessing NHS patient data and systems can use to demonstrate their performance against the National Data Guardian’s 10 data security standards.
If you plan to access NHS patient data or systems as part of your research, some NHS Trusts may request that you provide them with a DSPT self-assessment, so they can verify that the institution is practising good data security, and that personal information they may share with Lancaster University is handled correctly.
The University can support you in completing a DSPT self-assessment should one be required; or if you are a researcher based in the Faculty of Health and Medicine (FHM), you may be able to use a faculty wide toolkit that has already been verified.
FHM DSPT Information
FHM Researchers Accordion
-
Can I use the FHM DSPT?
If you are a member of the Faculty of Health and Medicine (FHM), and you have been asked to provide a DSPT code to your NHS research sites, then you may able to utilise the FHM faculty wide DSPT.
However, in order to use the faculty wide DSPT, you must be able to demonstrate that both the project requirements and researcher requirements under the two drop down options below can be met. If you/your project is unable to meet all of the criteria, you will be required to complete your own DSPT self-assessment, specific to your project.
-
FHM DSPT Project requirements
FHM researchers who would like to make us of the FHM faculty-wide DSPT must ensure that the following project conditions are met:
- The FHM DSPT return may only be used where data or devices used to access/store data are one of the following, ISS managed devices:
- SecureResearch
- SecurePCMy Desktop (Virtual Office)
- Contact ISS if you are unsure about this criteria).
- NHS data may only be stored on centrally provided network storage (LUNA/Depts) or OneDrive/Teams (use of OneDrive/Teams would be subject to research agreement with data provider).
- Both storage areas may only permit access to users who abide by the criteria set out here, and who have a legitimate need to access that data.
- NHS data may not be accessed or downloaded to mobile devices/removable media, g., lap-tops, USB sticks, external hard drives, etc.
- If using identifiable data, the researcher must inform participants for how long their personal data will be retained by the University in an identifiable form.
- The research project may not be collaborative or involve research partners, where the collaborators/partners have access to identifiable data, unless their organisation has their own, separate DPST return.
- All research team members should be either Lancaster University staff or students and have an LU IT account.
- The FHM DSPT return may only be used where data or devices used to access/store data are one of the following, ISS managed devices:
-
FHM DSPT researcher requirements
FHM researchers who would like to make us of the FHM faculty wide DSPT must ensure that the following researcher conditions are met:
- Their use of the DSPT has been registered with the clinical research governance team (instructions on how to do so are in the below drop down).
- Individuals who have access to NHS datasets follow all the criteria set out on this webpage.
- All staff accessing personal data for the project are compliant with the University's Information Security training requirements and continue to be compliant whilst they retain access to the data. (Staff can provide a screenshot from PeopleXD to the PI to evidence compliance.) Optional data security training is also available via lancaster.metacompliance.com.
- Access to the NHS data is removed should a member of the research team leave the project/institution.
- The University Data Protection Officer, Head of IT Security and the clinical research governance team are alerted to any breach of NHS data. Further information on what constitutes a ‘breach’ is available on the ICO website.
- All additional reporting requirements, e.g., to NHS body who supplied the data, research funding body, etc. must be adhered to.
- Members of the project team who have access to the NHS data do not access it via public Wi-Fi (you should not access this data from cafes, hotels even if you are accessing it through teams).
- Should the research project involve the use of medical devices which would need to connect to the LU network, it is your responsibility to keep an individual register of such devices and to share this register with the Head of IT Security.
- If you have agreed with the NHS body providing the data for the project that third party software can be used to access/analyse the data, you shall ensure that a GDPR-compliant contract or data sharing agreement is in place with the supplier. These suppliers should also confirm that they have their own DSPT return and be able to evidence this upon request.
-
Applying to use the FHM DSPT
If you are an FHM researcher who requires a DSPT self-assessment, and you are satisfied that you/your project meets all the requirements outined in the above sections of this webpage, then you need to complete the FHM DSPT request form here.
The clinical research governance team will then email you the code to share with your research sites within 2 working days of receiving your completed form.
Should you have any queries or need any assistance, you can contact the clinical research governance team for more information.
Clinical Research Governance Team:
Email: Sponsorship@lancaster.ac.uk
Completing a New Project Specific DSPT
DSPT for all faculties Accordion
-
Completing a project specific DSPT self-assessment
If you are not an FHM researcher, or you are, but your project does not meet the conditions to access the FHM DSPT, and your research sites have requested that you provide one before accessing NHS patient data or systems, then you will need to work with the information governance and information security teams at Lancaster University to do so.
We recommend that you review the help and guidance page on the DSPT webpage before completing the assessment.
-
Link to access the DSPT self-assessment
You can access the self assessment portal online here.
You will need to register on the webpage and go through each of the questions individually. You may also be required to provide evidence of meeting certain requirements. If you need any assistance, please contact the Information Governance or Information Security teams to ensure you complete each question accurately.
-
Support Contacts
If you unsure if you need a project specific DSPT, you can contact the clinical research governance team:
Clinical Research Governance
If you require any information relating to the university data protection and security standards, or support completing the questions on a project specific DSPT, then you can contact the information governance or security teams:
Information Governance
information-governance@lancaster.ac.uk
Information Security
Via the Help Centre Requests Portal