FAQ

Toolkit Frequently Asked Questions

1. What is DSPT?

The Data Security and Protection Toolkit or DSPT for short, is the way in which the Department of Health & Social Care assess and make assurances that we are handling NHS data safely and securely.

The toolkit is made up of 10 Data Security Standards 137 different items of evidence required for a Toolkit.  If the Framework is followed completely then this provides us with all the evidence that is needed for a project to be able to use the University toolkit.

2. Does training need to be completed every year?

In short yes.

The NHS requires that IG training is completed every year and is a requirement of the toolkit that all project members complete IG training annually.

If training is not completed, access may be withdrawn from datasets to preserve data security.

3. Where do I store my data to be compliant with the Toolkit requirements?

When a project is enrolled under the Toolkit, Filestore will be allocated on the secure University servers. Access to folders will be restricted to those researchers registered with the project.

Data must never be stored on other locations (OneDrive, external hard drives, mobile devices, Cloud store, etc.) 

4. How does the University check for compliance with the requirements of the Toolkit?

We take the security of data very seriously to meet our responsibility to the National Data Guardian and Information Commissioner Office. 

Researchers named under a project toolkit are required to provide evidence of their annual GDPR training. 

The IG team also conduct project audits to check the standard operating protocols and ways of working required by the Toolkit are being followed.

5. What should I do if I think I have lost data which is held under the Toolkit?

If you have potentially lost any data you should contact the IG team (recman@newcastle.ac.uk) and Toolkit Information Risk Officer (andrew.blamire@newcastle.ac.uk) immediately and no later than 24 hours after becoming aware. The IG team will work with you to understand the situation and determine the next course of action. 

Any possible loss of personal data held within a Toolkit must be notified to NHS Digital within 72 hours.